--- Day changed Tue Jan 05 2016 00:17 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 00:50 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 01:36 -!- zylinx [uid43406@gateway/web/irccloud.com/x-oonjcknplstbkczh] has joined #openvpn 02:24 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:10 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:25 -!- weox [uid112413@gateway/web/irccloud.com/x-sooecyhtzwngsabc] has joined #openvpn 04:12 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:20 -!- ponyofdeath [~vladi@cpe-76-172-86-115.socal.res.rr.com] has quit [Ping timeout: 272 seconds] 04:44 < [Mew2]> Hey how does a CRL work? 04:45 < [Mew2]> Can't the revokkee just change the cert name to a valid one and still get in? 04:45 < [Mew2]> Or is user banned some other way? 04:45 < apollo13> [Mew2]: sure he can change the cert name, but the signature no longer is valid then 04:47 < [Mew2]> So if j change my current cert file name I won't be able to connect? 05:23 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 05:26 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 05:26 < Neighbour> the filename of the cert is irrelevant for the client 05:27 < Neighbour> the server checks the CN of the certificate, and you can't change that without invalidating the certificate itself 05:28 < [Mew2]> Ok thanks Neighbour and apollo13 :) 05:35 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:11 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 06:16 -!- ikonia [~irc@unaffiliated/ikonia] has quit [Remote host closed the connection] 06:23 -!- ikonia [~irc@unaffiliated/ikonia] has joined #openvpn 06:44 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 06:45 -!- skyroveRR_ [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 06:45 -!- skyroveRR_ is now known as skyroveRR 06:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:56 -!- ponyofdeath [~vladi@cpe-76-172-86-115.socal.res.rr.com] has joined #openvpn 06:58 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 07:03 -!- zylinx [uid43406@gateway/web/irccloud.com/x-oonjcknplstbkczh] has quit [Quit: Connection closed for inactivity] 07:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:57 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 07:58 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Ping timeout: 272 seconds] 08:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 08:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 08:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:03 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 272 seconds] 08:15 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 08:44 -!- yoink [~yoink@66.171.168.10] has quit [Quit: ...] 08:52 -!- yoink [~yoink@66.171.168.10] has joined #openvpn 08:52 -!- yoink [~yoink@66.171.168.10] has quit [Client Quit] 09:11 -!- DarkByD3sign [~Dark@94.5.136.137] has joined #openvpn 09:11 < DarkByD3sign> Hi all. 09:11 < DarkByD3sign> I'm hoping somebody may be able to help. 09:12 < DarkByD3sign> I'm running a digital ocean VPS and I'm trying to set up OpenVPN-as however when this is installed on my Ubuntu 15.10 x64 distro I'm unable to connect with the link OpenVPN-as provides - I just keep getting a ERR CONNECTION REFUSED message via my browser on my main machine. 09:14 < DArqueBishop> !as 09:14 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 09:14 < DarkByD3sign> Noted thanks. 09:14 -!- DarkByD3sign [~Dark@94.5.136.137] has left #openvpn [] 09:16 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 09:16 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 09:22 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 240 seconds] 09:23 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 09:32 -!- tdn [~tdn@62.198.234.11] has quit [Ping timeout: 272 seconds] 09:43 -!- dazo_afk is now known as dazo 09:44 -!- somis [~somis@70.38.6.189] has joined #openvpn 09:46 -!- LordDragon [~Dragon@unaffiliated/lorddragon] has left #openvpn ["Leaving"] 09:48 -!- jesopo is now known as you_lost_the_gam 09:48 -!- you_lost_the_gam is now known as jesopo 09:56 -!- tdn [~tdn@syrah.adora.dk] has joined #openvpn 10:08 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has left #openvpn ["Leaving"] 10:09 -!- GFXDude [~GFXDude@ciscoasa.ecrsoft.com] has quit [] 10:17 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has joined #openvpn 10:23 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:31 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:34 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 10:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 10:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 10:56 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 10:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 11:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 11:20 -!- blurgher [~blurgher@212.18.232.88] has quit [Ping timeout: 260 seconds] 12:09 -!- SomeRandom [~SomeRando@110.141.171.113] has left #openvpn ["Leaving"] 12:11 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 12:24 -!- dazo is now known as dazo_afk 12:28 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:45 -!- toretore [~toretore@crr06-3-82-231-12-81.fbx.proxad.net] has quit [Ping timeout: 265 seconds] 12:48 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:55 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 12:59 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 264 seconds] 13:05 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 260 seconds] 13:23 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 13:36 -!- pringlescan [~Adium@50.153.88.2] has joined #openvpn 13:37 < pringlescan> When running Linux in a KVM guest, with NIC MTU of 1500 from origin of traffic to destination, I can only use a tun-mtu of 1344 or OpenVPN doesn't work over UDP… where should I head to figure out what's going on here? 13:40 < Ryushin> What is the syntax for the listen directive for both ipv4 and ipv6? local 10.10.1.1 on one line and local 2001:1900:1500::75 on the other does not work. 13:44 < saik0> Where are the deb sources for packages on swupdate.openvpn.net? 13:57 < saik0> mattock: ^ 13:58 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 14:04 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 14:08 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 14:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 14:11 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Quit: dionysus69] 14:29 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 14:39 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 14:40 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 14:42 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 14:45 < saik0> mattock: ah, nevermind found sbuild wrapper 14:46 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:58 -!- toli [~toli@ip-62-235-237-195.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 15:01 -!- toli [~toli@ip-62-235-220-69.dsl.scarlet.be] has joined #openvpn 15:04 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:23 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:32 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:43 -!- sinshiva [~sinshiva@2002:d1d0:41dd::] has joined #openvpn 15:45 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has quit [Quit: WeeChat 1.1.1] 15:45 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has joined #openvpn 15:47 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:48 < sinshiva> http://pastebin.com/1qRxHjzu can't make this work with OpenVPN Connect (on iOS) 15:48 < sinshiva> any tips? 15:50 < sinshiva> Authenticate/Decrypt packet error: bad packet ID (may be a replay): 15:50 < sinshiva> TLS Error: incoming packet authentication failed from [AF_INET] 15:50 < sinshiva> that's about as informative my logs get 15:51 < sinshiva> no problems with the windows client or 'OpenVPN for Android' 15:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:59 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:00 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 16:00 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 265 seconds] 16:00 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:02 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:06 -!- dazo_afk is now known as dazo 16:07 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 16:11 < Ryushin> What is the preferred windows client? 16:12 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:12 < Ryushin> Free, and prefer open source. The OpenVPN.net client does not seem to have a gui to configure any settings. Everything I believe would just reside in the configuration file. 16:14 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has quit [Changing host] 16:14 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 16:26 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 16:34 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Remote host closed the connection] 16:35 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 16:43 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 16:45 -!- MyNameIsJared [~MyNameIsJ@212-129-42-52.rev.poneytelecom.eu] has joined #openvpn 16:46 -!- MyNameIsJared [~MyNameIsJ@212-129-42-52.rev.poneytelecom.eu] has left #openvpn ["Leaving"] 16:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:56 -!- sinshiva [~sinshiva@2002:d1d0:41dd::] has left #openvpn ["Leaving"] 17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:53 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 17:53 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 17:59 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 18:01 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:01 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 18:05 -!- jrgcombr [~Jorge@209-82-80-116.dedicated.allstream.net] has joined #openvpn 18:31 -!- dazo is now known as dazo_afk 18:34 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 18:39 -!- jrgcombr [~Jorge@209-82-80-116.dedicated.allstream.net] has quit [Ping timeout: 255 seconds] 18:52 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 19:20 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 250 seconds] 19:20 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:21 -!- Chex [sss@swampjax.northnook.ca] has joined #openvpn 19:23 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 276 seconds] 19:25 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:27 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 19:28 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 19:41 -!- sdgathman [~sdgathman@2001:470:7:809::2] has joined #openvpn 19:42 < sdgathman> Is there a way to disable all encryption on openvpn and just do tunneling? 19:42 < sdgathman> Application is to supply ip tunneling through cjdns on platforms where cjdns doesn't support the builtin ip tunneling. 19:44 < sdgathman> Short of that, what is the lowest overhead cipher? I'm guessing BF with static keying. 19:45 < sdgathman> Note that cjdns is already end to end encrypted and IPs are not spoofable - so certs are redundant. 19:46 < sdgathman> Oh, maybe RC2 ? 19:52 -!- pringlescan [~Adium@50.153.88.2] has quit [Quit: Leaving.] 19:55 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has joined #openvpn 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 19:58 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 19:59 -!- jrgcombr [~Jorge@d50-98-28-122.bchsia.telus.net] has joined #openvpn 20:31 -!- jrgcombr [~Jorge@d50-98-28-122.bchsia.telus.net] has quit [Ping timeout: 250 seconds] 20:44 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 21:09 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has quit [Ping timeout: 260 seconds] 21:13 -!- n0b0dyh3r3 [~n0b0dyh3r@93.186.251.170] has joined #openvpn 21:35 -!- tobinski___ [~tobinski@x2f5ecd5.dyn.telefonica.de] has quit [Read error: Connection reset by peer] 21:36 -!- tobinski___ [~tobinski@x2f5f45f.dyn.telefonica.de] has joined #openvpn 21:44 -!- weox [uid112413@gateway/web/irccloud.com/x-sooecyhtzwngsabc] has quit [Quit: Connection closed for inactivity] 22:36 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 22:37 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has joined #openvpn 22:42 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:56 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 22:58 < ravegen> Good day. My isp is possibly blocking me using a transparent proxy. I cant pass thru even with vpn traffic. Any advise how i can circumvent this? 23:01 < Neighbour> stunnel maybe 23:05 < ravegen> I dont have stunnel server to try 23:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 23:06 < ravegen> Do you have stunnel so i can try? 23:06 < Neighbour> nope 23:08 < ravegen> Ok 23:08 -!- ravegen [~androirc@203.215.117.181] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 23:09 -!- ShadniX [dagger@p5DDFC27A.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:11 -!- ShadniX [dagger@p5DDFE119.dip0.t-ipconnect.de] has joined #openvpn 23:20 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:41 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 260 seconds] 23:59 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] --- Day changed Wed Jan 06 2016 00:00 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 00:19 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 00:29 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Quit: dionysus69] 00:33 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 00:49 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:53 -!- n0b0dyh3r3 [~n0b0dyh3r@93.186.251.170] has quit [Ping timeout: 260 seconds] 01:29 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 01:29 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 01:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 01:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 02:49 -!- RockyRoad [~mich@unaffiliated/sherkin] has joined #openvpn 02:50 -!- dazo_afk is now known as dazo 03:06 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 03:07 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Read error: Connection reset by peer] 03:15 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:32 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:56 -!- bf_ [~bf_@xdsl-87-78-33-98.netcologne.de] has joined #openvpn 04:03 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:10 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 04:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Ping timeout: 260 seconds] 04:18 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 04:28 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Read error: Connection reset by peer] 04:42 -!- RockyRoad [~mich@unaffiliated/sherkin] has quit [Ping timeout: 245 seconds] 04:54 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 05:00 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 05:06 -!- weox [uid112413@gateway/web/irccloud.com/x-hbcmkiottgbbxtpn] has joined #openvpn 05:20 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 05:29 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 05:31 < ravegen> (ravegen) How to scan open ports on my isp firewall for my openvpn config. Please kindly pm me if not allowed to show publicly. Thanks in advance. 05:35 -!- sgronblo [~samu@108.166.105.112] has joined #openvpn 05:36 < sgronblo> Does OpenVPN have support for automatically reading ca, cert etc files from some default file locations if you dont provide them explicitly on the command line? Or is my dd-wrt doing some magic for me? 05:51 <@plaisthos> dd-wrt is doing magic 05:56 -!- somis [~somis@70.38.6.189] has joined #openvpn 06:03 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:04 -!- ravegen [~androirc@203.215.117.181] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 06:06 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 06:18 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:30 -!- bf_ [~bf_@xdsl-87-78-33-98.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 06:35 -!- friendlydave [~dave@cpe-70-94-254-132.new.res.rr.com] has quit [Ping timeout: 272 seconds] 06:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:39 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn 06:39 -!- mode/#openvpn [+v hyper_ch] by ChanServ 06:39 <+hyper_ch> hi dazo 06:40 <+hyper_ch> anyone here mounts some fs over openvpn and uses systemd? I'd be interested in the mount's .mount file because x-systemd.requires= doesn't seem to work properly for me 07:27 < sdgathman> Is there a way to disable all encryption on openvpn and just do tunneling? Application is to supply ip tunneling through cjdns on platforms where cjdns doesn't support the builtin ip tunneling. 07:27 <@plaisthos> !noauth 07:27 <@plaisthos> !none 07:27 <@plaisthos> !no-enc 07:28 < sdgathman> Short of that, what is the lowest overhead cipher? Note that cjdns is already end to end encrypted and IPs are not spoofable - so certs are redundant. 07:28 <@plaisthos> !factoids 07:28 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:28 < sdgathman> maybe RC2 ? 07:28 <@plaisthos> what is rc2? 07:28 <@plaisthos> !noenc 07:28 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) Reference --cipher in the manpage (--auth may also be useful to review) 07:28 < sdgathman> vpnHelper: What is a linux app for a GRE tunnel? 07:29 <@plaisthos> sdgathman: vpnHelper is a bot 07:29 <@plaisthos> !google gre linux 07:29 <@vpnHelper> 5.3. GRE tunneling: ; GRE tunneling: ; How to create a GRE tunnel on Linux - Ask Xmodulo: 07:30 -!- msg [~john@unaffiliated/john] has joined #openvpn 07:30 < sdgathman> plaisthos: rc2 is a stream cipher known for low CPU (and is also broken IIRC). 07:32 < sdgathman> plaisthos: Also, cjdns already has iptunneling builtin on linux. This query is for Windows and other operating systems. 07:32 < sdgathman> Where the cjdns devs haven't figured out tunneling yet. 07:33 < sdgathman> But cjdns itself works fine. 07:34 < sdgathman> Openvpn already works and tunnels on Windows, so it seems like a solution. 07:57 -!- dtscode [~nchambers@2001:4870:a04e:2:f5a1:bca7:4fd2:a149] has joined #openvpn 07:57 -!- dtscode [~nchambers@2001:4870:a04e:2:f5a1:bca7:4fd2:a149] has left #openvpn ["Leaving"] 07:57 -!- Dropbox [~Dropbox@unaffiliated/dropbox] has joined #openvpn 07:57 -!- Dropbox [~Dropbox@unaffiliated/dropbox] has left #openvpn [] 07:58 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 08:00 < lsh> is it recommended to upgrade from v2.3.8 to v2.3.10 ? 08:06 < apollo13> what kind of question is that? 08:06 < apollo13> or let me put it that way: why wouldn't it be recommended 08:07 <@plaisthos> lsh: read the changelog and decide for yourself 08:08 < apollo13> at least the dns leak fix on windows seems worth it :D 08:08 <@plaisthos> apollo13: you need to enable that option 08:09 < apollo13> plaisthos: still :D 08:09 < apollo13> (not that I'd have windows) 08:09 <@plaisthos> apollo13: then that feature is probably not worth upgrading for you :) 08:09 < apollo13> no, but I tend to apply bugfix releases in general 08:13 < lsh> so you guys are always using the most recent version? 08:15 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 08:21 < apollo13> no, the latest bugfix release of the minor version I am on 08:36 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go] 08:41 <@plaisthos> lsh: I am running -master :D 08:41 <@plaisthos> (so so are all the people I force that version on) 08:58 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 09:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 09:19 < msg> hey all :) 09:19 < msg> I want to be able to ssh into my work server from home, and I think the best way to do that is to put both work and home computers on an openVPN network using an AWS instance 09:20 < msg> I followed a lengthy guide on how to do this at work, but i couldnt get the work PC to join the AWS VPN 09:20 < msg> At home, however, it seems like I can 09:20 < msg> So i have a feeling my work network is blocking the VPN ports 09:20 < msg> (which is weird because im going OUT not in) 09:21 -!- lsh_ [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 09:21 < msg> So, er, is there a way to test that question specifically - so i can decide if using an httpvpn is worth it? 09:21 < msg> (I saw that openVPN has an HTTP method) 09:23 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 09:24 < DArqueBishop> msg - at the risk of sounding unhelpful, have you considered asking your IT department for remote access? 09:25 <@plaisthos> doing things like this without authorization can get you easily fired 09:26 < DArqueBishop> Right. Back in my sysadmin days, if I found out a user was doing something like that without my permission that person would be at the very least get written up. 09:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 09:39 -!- lsh_ [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 09:40 < sdgathman> msg: You can make openvpn use any arbitrary udp or tcp port. 09:41 < sdgathman> If necessary, you can use tcp port 443 - that usually fools those types of policies. 09:42 < sdgathman> Also, consider cjdns 09:42 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.] 09:43 -!- KNERD [~KNERD@netservisity.com] has joined #openvpn 09:43 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 09:45 < sdgathman> DArqueBishop: I've always worked at small companies, where there was no such policy. If you didn't configure the firewall yourself, the boss hired some 3rd party consultant to do it, and they don't really keep on top of it or care. 09:46 < sdgathman> But yeah, I can imagine that at a big company, there is a written policy or firewall czar somewhere, and violating it or crossing them will have consequences. 09:47 < DArqueBishop> sdgathman, my previous jobs were at smaller companies, too, and I always had such a policy. I had no problem giving people remote access if they could give a plausible reason why they would need it, but I'd go through the roof if they did something and didn't clear it with me first. 09:48 < sdgathman> Well, then you were the firewall czar. 09:48 * DArqueBishop chuckles. 09:49 < DArqueBishop> Yeah, I guess you could say I was a hardass about it, but I at least tried to be reasonable about it. As long as the user's supervisor was cool with them being able to get on remotely, I almost always granted access. 09:51 < sdgathman> So what did you do when someone buys a consumer WAP and plugs it into an ethernet jack so they can use their laptop without wires? 09:51 < sdgathman> (And don't bother even using WPA) 09:52 < DArqueBishop> I removed it and read them the riot act. 09:52 < sdgathman> My clients are generally remote, so finding it is not trivial. It looks like any other client. 09:53 < DArqueBishop> Then I would point out that the building had wireless available, including a guest network for non-company devices, so they were being silly. 09:53 < sdgathman> nmap is one way - it can usually identify the devices 09:54 < sdgathman> I put all the end users on the guest network. They aren't any more trusted than guests. 09:54 < sdgathman> The servers get their own physical LAN. 09:54 * DArqueBishop nods. 09:55 < sdgathman> Another fun one is cleaning people that unplug things temporarily to vacuum, then plug them back in - in a different spot. 09:56 < DArqueBishop> That's always fun. 09:56 < sdgathman> Often, this is a power cord, which doesn't crash the server because it has 2. But it gets plugged back into the same UPS as the other cord, or the same wall outlet as the other cord. 09:57 < sdgathman> So you don't realize there is a problem until too late. 09:57 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 09:58 < sdgathman> On the NUT forums, I keep suggesting to the UPS manufacturer devs that I would like to see some kind of communication between the server and UPS over the power cord - not a separate USB/serial cable. 09:58 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 09:59 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 09:59 < sdgathman> There are lots of system available, and they can be added on to both server and UPS - but to really be failsafe they need to be integrated so people can't unplug them. 10:02 <@plaisthos> sdgathman: that should be your problem 10:02 < sdgathman> How so? 10:02 <@plaisthos> if people can uplug your server your physical security is probably questionable 10:03 < sdgathman> Well yes, that is generally the case at a really small company. 10:03 < sdgathman> The server is not in a locked room. 10:04 < sdgathman> And in that situation, monitoring the UPS over the power cord rather a separate cable would ensure you were actually plugged into the UPS you are monitoring. 10:04 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:05 <@dazo> big or not ... placing server+ups in a closed+locked cabinet isn't that hard to achieve and reduces the risk to a more comfortable level 10:05 <@plaisthos> what dazo said 10:05 < sdgathman> It doesn't help me because I am remote. 10:05 < sdgathman> Someone will have the key. 10:06 < sdgathman> But I could suggest it. 10:06 <@dazo> "someone will have the key" ... that's policy .... even at big enterprises "someone will have the key" to the server room(s) 10:06 -!- KNERD [~KNERD@netservisity.com] has quit [Excess Flood] 10:08 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 10:08 < sdgathman> I understand, but it is out of my hands. Strange things happen, and I am in another state. 10:08 < sdgathman> So anything that helps me see what is actually plugged into what is a big bonus. 10:08 <@dazo> the important thing is to have a policy and document who have access to the key(s) and how is access requests to the server(s) (requiring unlocking of the server rack/cabinet) handled and logged? 10:08 < sdgathman> For instance, my current company recently moved. 10:09 <@dazo> If something goes wrong with such policy in place ... then they can't blame you in any way 10:09 < sdgathman> No one every blames me - that is never my problem. 10:09 < sdgathman> But I have to make it work again. 10:11 < sdgathman> And when I'm not there, it is really painful going over and over again what is plugged into what, and the user still miscommunicating. 10:11 <@dazo> with proper policies in place, you can ask for the log records .... and then blame an individual ;-) 10:11 < sdgathman> It is not an issue of blame. 10:11 < sdgathman> The issue is getting things plugged in correctly again. 10:12 <@dazo> blame can often have a good effect avoiding people to do silly things ... like unplugging things they shouldn't unplug 10:12 < sdgathman> I have asken the user to take pictures on their smartphone of the cabling and email me. That has cleared up a number of miscommunications. 10:13 < sdgathman> dazo: in the case of the move, they *should* have unplugged it. And they tried to lable all the cables. And generally succeeded on the non-power cables. 10:13 -!- SkyWanker [4ec2883f@gateway/web/freenode/ip.78.194.136.63] has joined #openvpn 10:13 <@dazo> ahh, I see 10:13 < sdgathman> But which outlet a power cord is plugged into doesn't seem significant to an end user. 10:13 <@dazo> well, that's not too surprising though 10:14 < SkyWanker> Greetings, i'm having trouble to connect through openvpn, so far what i can tell is that connection to my vpn provider just fails. Any hints? 10:14 <@dazo> !welcome 10:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 10:14 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:14 < sdgathman> So that is why I wish for comm to USP over the power cord. 10:16 < sdgathman> SkyWanker: "just fails" is not helpful. The actual error message, what OS, and the config instructions from your providing including port (but not any keys). 10:16 < SkyWanker> My bad. My goal is : I would like to get that connection working, but i'm 2 hours old in the VPN world. I also followed steps by steps installation from my vpn provider 10:16 < SkyWanker> sdgathman: i see. Hold on sir! 10:17 <@dazo> sdgathman: I doubt that's gonna happen soon, as that requires modified PSUs as well as UPSes ... I'd rather believe having a side-channel comm (like today's USB) will be the important detail. But the UPS could provide information about which socket being activated and how much Amps or watts each socket drains - that is more likely doable 10:19 < SkyWanker> Okay so i'm on the lattest debian distro, i chose boleh vpn, i'm trying to connect to their proxied servers. I don't have any eror message, since it all done via the network manager. The connection is intended to happen over the port 43. 10:20 < SkyWanker> 443* 10:20 <@dazo> SkyWanker: have you tried to contact their support? ... we need access to server logs and configs too, to be able to see what's really going on 10:20 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 10:21 <@dazo> SkyWanker: without those logs ... not much we can help with here .... this channel mostly supports users configuring their own VPN servers 10:22 <@dazo> Btw. Just looked at the boleh web site ... " Surf Anonymously " .... that's not really true when you use VPN 10:22 -!- schone [~schone@pool-108-41-29-170.nycmny.fios.verizon.net] has joined #openvpn 10:22 < SkyWanker> dazo: i see. No way to get logs here? 10:22 < schone> hello 10:22 < schone> is there a way to make OpenVPN NAT all traffic that comes thru it 10:22 < schone> ? 10:22 < schone> *easily* 10:23 <@dazo> SkyWanker: we do not deliver the any commercial VPN service here (which boleh is) 10:23 <@dazo> schone: NAT is easy .... iptables -t nat -A POSTROUTING ..... 10:23 < schone> dazo: is there any openvpn.conf directive taht will add that route to iptables for me on launch? 10:24 < SkyWanker> dazo: Sure, i'm not asking about how to set up my account, but how to set up openvpn to connect to the desired network 10:24 <@dazo> schone: nope ... the VPN config is for configuring the VPN network, not firewalling and networking outside of the VPN 10:24 <@dazo> SkyWanker: and we do not have access to the boleh VPN servers ... so we do not have the required access ... you need their support to fix your issue 10:25 < schone> dazo: ok, one more question 10:25 <@dazo> sure! 10:25 < schone> dazo: is it possible to give iptables a DNS name instead of an IP to masquarade 10:25 < schone> ? 10:26 -!- SkyWanker [4ec2883f@gateway/web/freenode/ip.78.194.136.63] has quit [Quit: Page closed] 10:26 <@dazo> schone: I believe it may work ... but it is not clever to do ... you may end up with a dysfunctional iptables setup on the next boot. iptables are mostly setup before the networking connection is established, thus you won't have any access to any DNS servers 10:27 < schone> got ya 10:27 < schone> thanks dazo! 10:27 <@dazo> yw! 10:35 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:48 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 10:53 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 10:53 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 10:54 -!- schone [~schone@pool-108-41-29-170.nycmny.fios.verizon.net] has quit [Quit: schone] 10:54 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 10:56 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 11:01 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 11:04 < sdgathman> I was going to suggest to SkyWanker that he needs to make sure he has UDP/TCP as required in the setup instructions. 11:04 < sdgathman> Using port 443 sounds like tcp to me. 11:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:35 -!- lusid [~marcmelvi@c-69-180-118-8.hsd1.fl.comcast.net] has joined #openvpn 11:35 < lusid> Is there a way to do the opposite of redirect-gateway and ensure that no other traffic besides predefined routes can go through OpenVPN? 11:37 < lusid> Or is that something I need to block externally using iptables, etc? 11:38 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving] 11:39 < DArqueBishop> lusid: unless I'm very much mistaken, that's actually the default behavior. Unless you set redirect-gateway and set up iptables to NAT said traffic, OpenVPN won't allow such traffic through. 11:41 < lusid> At the moment, it seems like anyone can add that setting or check the box in TunnelBlick that says to redirect all traffic, and it works. I am using a somewhat prebaked Docker image for the OpenVPN server, so maybe there is a hidden configuration I’m missing if that’s the case. Thanks for replying! 11:42 < lusid> I think blocking it with iptables is my best bet. I was just curious if there was a built-in setting for it that better fit my use case. 11:42 -!- sdgathman [~sdgathman@2001:470:7:809::2] has left #openvpn [] 11:50 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 11:55 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has quit [Ping timeout: 255 seconds] 11:56 -!- bf_ [~bf_@xdsl-87-78-33-222.netcologne.de] has joined #openvpn 11:58 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 12:04 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:04 -!- lusid [~marcmelvi@c-69-180-118-8.hsd1.fl.comcast.net] has quit [Quit: lusid] 12:12 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 12:13 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 12:32 -!- loeken [~lknfree@u.internetz.me] has joined #openvpn 12:33 < loeken> eveningZ 12:35 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 272 seconds] 12:39 < mete> DArqueBishop: normally all traffic to the openvpn server is allowed, however, routing to other subnets or the internet normally wont work 12:39 < mete> it is lik you would add a normal network card in a server and plug in a client 12:39 < mete> for all firewalling iptables is needed 12:41 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 12:41 < DArqueBishop> mete, I guess I wasn't clear, but that's pretty much what I meant to say. 12:42 < mete> :D 12:43 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 12:45 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 12:46 -!- somis [~somis@70.38.6.189] has joined #openvpn 12:47 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has joined #openvpn 12:50 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 12:50 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Client Quit] 12:51 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 12:59 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 240 seconds] 13:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 13:06 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 13:24 -!- SupaYoshi [~SupaYoshi@104.223.1.186] has quit [Quit: ZNC - http://znc.in] 13:28 -!- bf_ [~bf_@xdsl-87-78-33-222.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 13:40 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 13:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 13:59 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 14:10 -!- msg [~john@unaffiliated/john] has quit [Ping timeout: 250 seconds] 14:14 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 14:15 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 14:15 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 14:22 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 14:36 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.3/20151223140742]] 14:44 -!- radonx [~radonx@server1.dutchunited.eu] has joined #openvpn 14:49 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 14:51 -!- averagecase [~bolle@cl-6544.cgn-01.de.sixxs.net] has joined #openvpn 14:52 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 256 seconds] 15:07 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 15:08 < DammitJim> ok, cool! So, I think I have been able to connect to the openvpn server 15:08 < DammitJim> but I don't think I am able to reach other devices besides the openvpn server machine (I can ssh into it) 15:08 < DammitJim> what else could I be missing? 15:18 < radonx> hey 15:19 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 15:20 < radonx> i have openssl on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 15:26 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:31 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 260 seconds] 15:32 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:34 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:37 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 15:52 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 15:56 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 15:58 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Max SendQ exceeded] 15:58 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 15:59 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 16:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:03 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 16:06 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has quit [Ping timeout: 240 seconds] 16:06 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Ping timeout: 240 seconds] 16:06 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 16:06 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has quit [Ping timeout: 240 seconds] 16:06 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 240 seconds] 16:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 16:07 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 16:12 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has joined #openvpn 16:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 16:12 -!- flyingkiwi [~kiwi@185.28.76.179] has joined #openvpn 16:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 16:20 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 16:20 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 16:24 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 16:24 -!- mode/#openvpn [+o dazo] by ChanServ 16:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:26 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 16:27 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:28 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:29 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:29 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 250 seconds] 16:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 16:37 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Leaving] 16:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:47 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 16:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 17:06 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has quit [Remote host closed the connection] 17:06 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has joined #openvpn 17:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- Hadi1 [~Instantbi@31.59.6.198] has joined #openvpn 17:22 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 265 seconds] 17:22 -!- Hadi1 is now known as Hadi 17:24 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 17:59 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has quit [Remote host closed the connection] 18:01 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has quit [] 18:11 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 18:18 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 18:29 -!- Hadi [~Instantbi@31.59.6.198] has quit [Remote host closed the connection] 18:33 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 18:34 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has quit [Ping timeout: 276 seconds] 18:36 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has joined #openvpn 19:08 -!- averagecase [~bolle@cl-6544.cgn-01.de.sixxs.net] has quit [Ping timeout: 260 seconds] 19:26 -!- Tenhi_ is now known as Tenhi 19:29 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has joined #openvpn 19:51 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 19:51 -!- dazo is now known as dazo_afk 19:53 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 20:03 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has joined #openvpn 20:03 < CryptoSiD> helllo, happy new year to everyone 20:04 -!- weox [uid112413@gateway/web/irccloud.com/x-hbcmkiottgbbxtpn] has quit [Quit: Connection closed for inactivity] 20:05 < CryptoSiD> I'm using "block-outside-dns" in my client config, but sometime, it stop resolving ipv6 only hosts for some minutes, any idea what could cause this? (I only have an ipv6 on my vpn, also have an ipv4), the dnsleaktest always seem to work fine for me, since it always use the vpn NS 20:06 < CryptoSiD> if anyone have an idea:) 20:06 < CryptoSiD> using the last openvpn version released some week ago 20:08 < CryptoSiD> http://pastebin.com/gBs1m9Qt here's the client config 20:30 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 245 seconds] 20:46 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 21:18 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has quit [Quit: End of line.] 21:20 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has joined #openvpn 21:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 21:35 -!- tobinski_ [~tobinski@x2f5d9ff.dyn.telefonica.de] has joined #openvpn 21:39 -!- tobinski___ [~tobinski@x2f5f45f.dyn.telefonica.de] has quit [Ping timeout: 264 seconds] 22:11 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:26 -!- lykinsbd [~lykinsbd@cpe-173-174-131-187.satx.res.rr.com] has joined #openvpn 22:28 -!- lykinsbd [~lykinsbd@cpe-173-174-131-187.satx.res.rr.com] has quit [Client Quit] 22:40 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 22:48 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 250 seconds] 22:54 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 23:08 -!- ShadniX [dagger@p5DDFE119.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:09 -!- ShadniX [dagger@p5DDFC156.dip0.t-ipconnect.de] has joined #openvpn 23:31 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 255 seconds] 23:35 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn --- Day changed Thu Jan 07 2016 00:01 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 00:03 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:05 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 245 seconds] 00:17 -!- valdikss [~valdikss@95.215.45.33] has joined #openvpn 00:54 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 00:56 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 01:08 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has joined #openvpn 01:14 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has quit [Ping timeout: 272 seconds] 01:45 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 01:46 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 01:46 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 01:55 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 02:32 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:02 -!- toli [~toli@ip-62-235-220-69.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 03:07 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has joined #openvpn 03:28 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"] 03:36 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 255 seconds] 03:54 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn 04:04 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has joined #openvpn 04:05 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has quit [Client Quit] 04:07 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer] 04:08 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has joined #openvpn 04:09 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has quit [Client Quit] 04:11 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 04:18 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 04:37 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 260 seconds] 04:37 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:43 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 04:43 -!- weox [uid112413@gateway/web/irccloud.com/x-dkrovavykylgjcud] has joined #openvpn 04:53 -!- christobill [uid60328@gateway/web/irccloud.com/x-qnlvvrllhzfywvyy] has joined #openvpn 04:53 < christobill> Hi guys. I have been trying to access an ovpn client from a machine in a VLAN behind the ovpn server. Did anyone here ever try something like that? 04:55 < christobill> I am struggling with the routes, the gateways, iptables and everything 05:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:07 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 264 seconds] 05:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 05:21 -!- dazo_afk is now known as dazo 06:03 -!- repozitor [~repozitor@unaffiliated/deadperson] has joined #openvpn 06:04 -!- repozitor [~repozitor@unaffiliated/deadperson] has left #openvpn [] 06:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:19 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has quit [Read error: Connection reset by peer] 06:22 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has joined #openvpn 06:25 -!- doebi [~doebi@doebi.at] has quit [Remote host closed the connection] 06:27 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 06:34 -!- toli [~toli@ip-62-235-220-95.dsl.scarlet.be] has joined #openvpn 06:50 -!- somis [~somis@70.38.6.189] has joined #openvpn 06:56 < christobill> the only thing I see on the ovpn server https://www.irccloud.com/pastebin/Dionzhrs/ 06:58 < christobill> and ovpn server ip 10.131.102.47 06:58 -!- u0m3 [~u0m3@188.27.74.65] has quit [Ping timeout: 265 seconds] 07:07 -!- Ryushin [chris@2001:5c0:1000:a::225] has joined #openvpn 07:07 -!- toli [~toli@ip-62-235-220-95.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 07:14 -!- toli [~toli@ip-62-235-238-241.dsl.scarlet.be] has joined #openvpn 07:18 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 07:20 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 07:21 -!- bpye [~quassel@unaffiliated/bpye] has quit [Remote host closed the connection] 07:23 -!- bpye [~quassel@unaffiliated/bpye] has joined #openvpn 07:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 08:11 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 08:11 -!- tdn [~tdn@syrah.adora.dk] has quit [Quit: leaving] 08:19 -!- showaz [~showaz@unaffiliated/showaz] has joined #openvpn 08:44 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 250 seconds] 08:52 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn 09:02 -!- u0m3 [~u0m3@188.27.154.248] has joined #openvpn 09:22 -!- dazo is now known as dazo_afk 09:37 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 09:37 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 09:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 09:47 -!- l30 [~le0@unaffiliated/le0] has joined #openvpn 09:49 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 09:50 -!- le0 [~le0@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 09:57 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has left #openvpn [] 10:08 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 10:08 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:09 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 250 seconds] 10:10 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 10:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 10:25 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:30 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 10:30 < ravegen> Good day. I have openvpn service on my centos server. I only allowed port 23, 80, 443 and 1194 both tcp and udp on INPUT and OUTPUT chain but when i connect the vpn client and run utorrent app, still there is traffic on the utorrent app. Why isnt it blocked? 10:34 <@plaisthos> ravegen: you are looking for FORWARD :) 10:34 <@plaisthos> iirc 10:34 <@plaisthos> input and output is only for the server itself 10:36 < ravegen> Yes i need to block torrent to vpn user 10:36 < ravegen> So that i wont break the aup of the vps host 10:43 <@plaisthos> yes I think you need the forward chain 10:43 <@plaisthos> !iptables 10:43 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 10:43 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 10:44 < ravegen> Ok tnx 10:44 -!- ravegen [~androirc@203.215.117.181] has left #openvpn ["AndroIRC"] 11:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 11:15 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 11:21 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:22 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Killed (Sigyn (Spam is off topic on freenode.))] 11:39 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 11:40 -!- l30 [~le0@unaffiliated/le0] has quit [Ping timeout: 250 seconds] 11:43 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 11:45 -!- Ryushin [chris@2001:5c0:1000:a::225] has quit [Ping timeout: 260 seconds] 11:46 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 11:47 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Read error: Connection reset by peer] 11:47 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 11:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 11:56 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 11:57 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:01 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 255 seconds] 12:10 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 12:12 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 12:20 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 12:23 -!- dazo_afk is now known as dazo 12:40 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 12:44 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 12:55 -!- CihanKaygusuz [uid137079@gateway/web/irccloud.com/x-gqklyfimdqreorcv] has quit [Quit: Connection closed for inactivity] 12:59 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 13:03 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 13:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 240 seconds] 13:12 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 13:27 -!- git [~git@firefox/community/pilif12p] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 13:30 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has joined #openvpn 13:35 -!- freekevi- [freekevin@unaffiliated/freekevin] has joined #openvpn 13:37 -!- Meow-J_ [uid69628@gateway/web/irccloud.com/x-knfysvojlluudprq] has joined #openvpn 13:38 -!- n-st_ [~n-st@unaffiliated/n-st] has joined #openvpn 13:39 -!- RBecker_ [~Ryan@openvpn/user/RBecker] has joined #openvpn 13:39 -!- mode/#openvpn [+v RBecker_] by ChanServ 13:39 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn 13:39 -!- varesa- [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 13:40 -!- Netsplit *.net <-> *.split quits: Meow-J, johnny56, Darkwell, Sambom_, subzero79, varesa, @plaisthos, Tykling, Keridos, Nothing4You, (+11 more, use /NETSPLIT to show all of them) 13:40 -!- lbft_ is now known as lbft 13:40 -!- RBecker_ is now known as RBecker 13:40 -!- n-st_ is now known as n-st 13:41 -!- Netsplit over, joins: bachler, Keridos 13:41 -!- Darkwell [~Darkwell@h-72-115.a192.priv.bahnhof.se] has joined #openvpn 13:41 -!- varesa- is now known as varesa 13:42 -!- Darkwell [~Darkwell@h-72-115.a192.priv.bahnhof.se] has quit [Changing host] 13:42 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has joined #openvpn 13:42 -!- Netsplit over, joins: nitdega, troyt 13:42 -!- f0o [~f0o@46.246.25.82] has joined #openvpn 13:43 -!- Netsplit over, joins: ponyofdeath 13:43 -!- Netsplit over, joins: [DS]Matej 13:44 -!- Netsplit over, joins: plaisthos 13:44 -!- mode/#openvpn [+o plaisthos] by ChanServ 13:44 -!- Netsplit over, joins: Nothing4You 13:45 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 13:49 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 13:51 -!- Meow-J_ is now known as Meow-J 14:06 -!- Exagone313 [exa@elou.world] has quit [Quit: see ya!] 14:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 14:14 -!- lsh [~lsh@p4FF8FB24.dip0.t-ipconnect.de] has joined #openvpn 14:19 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 14:19 -!- mode/#openvpn [+o krzie] by ChanServ 14:20 -!- krzie changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.10 (4 Jan 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue 14:20 -!- ohsnap [~ohhhhhhh@trivialand/guesser/ohsnap] has joined #openvpn 14:21 < ohsnap> greetings all. trying to figure out the best way to do this: i currently have openvpn running on a freebsd vm. everything is set up and i was able to connect to the vpn from my house but i am unable to reach anything on the other private subnets in my work network 14:22 < ohsnap> i am a bit confused as to my options for allowing the default openvpn 10.8.0.0 subnet to reach my other 10.x.x.x internal subnet. can someone point me in the right direction? (push, server-bridge, or creating static routes in my router?) 14:24 < Neighbour> you want to be able to, from the client, reach other machines on the server network, or the other way around? 14:26 < ohsnap> yes i want to be able to from my home network connect to the vpn here at work and access the work 10.x.x.x subnet 14:27 < ohsnap> it doesn't overlap with the default 10.8.0.0 openvpn network, but i don't know if this is something i am supposed to configure in openvpn (push?) or if i just need to make a static route in my router here at work to point traffic to the 10.8.0.0 network back through the openvpn server 14:31 < ohsnap> ohh i see. so it is both 14:32 <@krzie> !serverlan 14:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:33 < ohsnap> ty 14:34 < Neighbour> np :) you did most of the thinking yourself 14:38 -!- Exagone314 [exa@elou.world] has joined #openvpn 14:38 <@krzie> the troubleshooting flowchart is pretty handy too 14:41 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 276 seconds] 14:42 < ohsnap> yes it is :) thanks yall 14:42 <@krzie> np 14:46 -!- Exagone314 [exa@elou.world] has quit [Quit: see ya!] 14:53 -!- Exagone314 [exa@elou.world] has joined #openvpn 14:53 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 14:56 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:57 -!- Exagone314 [exa@elou.world] has quit [Client Quit] 15:00 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 15:02 -!- Exagone314 [exa@elou.world] has joined #openvpn 15:04 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has joined #openvpn 15:10 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:12 -!- Exagone314 [exa@elou.world] has quit [Quit: see ya!] 15:17 -!- Exagone314 [exa@elou.world] has joined #openvpn 15:20 -!- Exagone314 [exa@elou.world] has quit [Client Quit] 15:23 -!- Exagone313 [exa@elou.world] has joined #openvpn 15:29 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:37 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Read error: Connection reset by peer] 15:52 -!- Netsplit *.net <-> *.split quits: NP-Hardass, freekevi-, rrichard_, d10n 15:52 < radonx> hello 15:53 -!- Netsplit over, joins: rrichard_, NP-Hardass 15:53 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:54 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn 15:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:55 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 15:55 <@krzie> hello :-p 15:55 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 15:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:02 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Read error: Connection reset by peer] 16:04 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 16:04 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 16:08 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-dwkdwbenqtirfgah] has joined #openvpn 16:11 -!- Cihan [uid137082@gateway/web/irccloud.com/x-yqyvowreoyrcpljv] has quit [] 16:12 -!- somis [~somis@167.160.44.202] has joined #openvpn 16:14 -!- Cihan [uid138508@gateway/web/irccloud.com/x-jdnllwodsrydlsro] has joined #openvpn 16:14 < illuminated> lol oops. I left extremely verbose logging on accidently and filled up my root fs. lol 16:17 < Neighbour> oops 16:17 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 16:18 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 16:21 -!- somis [~somis@167.160.44.202] has quit [Quit: Leaving] 16:23 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:35 -!- klow [~klong@c-73-53-31-109.hsd1.wa.comcast.net] has joined #openvpn 16:37 < klow> Hi all. I am trying to compile a working openvpn server on debian that is FIPs compliant. I have compiled openssl with the fips module, and it seems as though I am able to compile openvpn , with my fips compliant openssl library. But a piece of code I have seen on several forums, which begins with #ifdef OPENSSL_FIPS 16:37 < klow> if(options.no_fips <= 0) { , to be placed in the main() of openvpn.c , throws a compiler error about "options" being undeclared 16:37 < klow> I have applied a FIPS patch to the openvpn source tree as well 16:38 < klow> any hints much appreciated. 16:38 < klow> the point of the code is simply to print to stderr that openvpn is indeed in "fips mode" 16:40 -!- somis [~somis@167.160.44.221] has joined #openvpn 16:40 <@krzie> klow: i think you may want to try that one in the development channel 16:41 < klow> gotcha , ok thanks 16:41 <@krzie> no problem 16:41 <@krzie> and this wasnt the wrong place to ask, but in this case there too may be good for you 16:41 -!- lsh [~lsh@p4FF8FB24.dip0.t-ipconnect.de] has quit [Quit: Msg] 16:46 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 16:48 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 16:55 -!- Exagone313 [exa@elou.world] has quit [Quit: see ya!] 16:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 16:57 -!- KNERD [~KNERD@netservisity.com] has joined #openvpn 16:59 -!- Exagone313 [exa@elou.world] has joined #openvpn 17:05 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 17:12 -!- Exagone313 [exa@elou.world] has quit [Ping timeout: 255 seconds] 17:17 -!- Exagone313 [exa@elou.world] has joined #openvpn 17:22 -!- showaz [~showaz@unaffiliated/showaz] has quit [] 17:25 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 17:33 -!- pirx [~akol@h-2-241.a230.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 17:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 17:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 272 seconds] 17:38 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 276 seconds] 17:40 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 17:43 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Client Quit] 17:43 -!- dazo is now known as dazo_afk 17:51 -!- NoOova [~NoOova@unaffiliated/nooova] has joined #openvpn 17:51 < NoOova> Hi guys! 17:52 < NoOova> Need i client certificate on the server? 17:52 < apollo13> no 17:52 < NoOova> But how i could block client certificate without client certificate? =) 17:52 < NoOova> block == add to crl 17:53 < apollo13> the crl just contains the serial, no? 17:54 < NoOova> apollo13: hm i dont know, i think it is x509 container 17:55 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:55 < apollo13> that is news to me 17:55 < apollo13> http://www.gnutls.org/manual/html_node/PKIX-certificate-revocation-lists.html 17:55 <@vpnHelper> Title: GnuTLS 3.4.7: PKIX certificate revocation lists (at www.gnutls.org) 18:00 < NoOova> apollo13: yep it acquires only serial 18:00 < NoOova> So in theory i could find client serial in openvpn logs and add it to crl with some mechanism 18:01 < apollo13> not sure if that is in the logs, so you might need the cert 18:01 < apollo13> but keeping the cert on the server is no problem 18:01 < zoredache> You would find the serial in the cert database on the CA usually? 18:02 < apollo13> zoredache: well if you use easy-rsa or so, where would that be? 18:02 < NoOova> zoredache: i worry about situation when all database of client certificates lost 18:02 < NoOova> apollo13: in easy_rsa/keys/ 18:02 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 18:04 < NoOova> maybe i think about clients white list (by CN or by Serial) 18:04 < NoOova> Not black list with crl 18:05 < NoOova> I think it is not OpenVPN ideology? 18:06 < zoredache> Well most of my OpenVPN sets have `ccd-exclusive`. So I am not too worried about maintaining a CRL. 18:07 <@krzie> you generate the CRL on the CA 18:07 <@krzie> it must be signed by the ca.key which should NOT be on your server 18:07 <@krzie> OR you can use --disable in a ccd entry to deny access 18:08 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 245 seconds] 18:08 <@krzie> does that answer your question? 18:08 < apollo13> NoOova: anyways, I wouldn't be worried about cert losage, just back them up 18:08 < apollo13> they do not contain any private information after all 18:09 <@krzie> but if you lose your CA then you can not make new certs for the vpn 18:09 < NoOova> krzie: i think about it but still unclear 18:09 <@krzie> so dont lose your CA 18:09 <@krzie> and since the CA is where you generate the CRL... you should be fine ;] 18:09 < apollo13> if you loose your CA you got a different problem :D 18:10 < NoOova> krzie: default installation of openvpn has easy_rsa. What if i do clean_all but have copies of ca.crt and server.key/crt. 18:10 < apollo13> the crt of the ca is not enough 18:10 < apollo13> you need the private key too 18:10 <@krzie> actually openvpn does not come with easy_rsa 18:10 < NoOova> apollo13: to create crl yes 18:11 < NoOova> to run server no 18:11 < NoOova> i speak about it 18:11 < apollo13> then I do not understand the question 18:11 <@krzie> NoOova: LOL dont do that 18:11 < NoOova> maybe i dont know what i want. One moment 18:11 <@krzie> you're like "what if i delete all my important CA shit on purpose?" 18:11 <@krzie> umm, dont. 18:11 <@krzie> hah 18:12 < apollo13> would be a fun experiment though :D 18:12 <@krzie> hah ya ok 18:14 < NoOova> krzie: For example i have very small openvpn server for my family at home. CA and vpn placed in one machine. If i carelessly run clean_all i will lose all client certificates as server and ca (but i have copies ov server and ca in /etc/openvpn/ directiry). SO i will have situation when i could not block any user because i dont know my users (i lose all client certificates). 18:15 < apollo13> so just create a new ca and issue new certs 18:15 < apollo13> we are talking about home usage here^^ 18:15 < NoOova> ^^ 18:15 < NoOova> Speak anything else here is unsafe. 18:17 <@krzie> if you carelessly remove your CA setup, yes you will suck at managing your vpn 18:17 <@krzie> you could also accidently format your harddrive 18:17 <@krzie> i cant help you in that case either 18:17 < NoOova> krzie: ok. Now it is clear 18:19 < NoOova> So now i understand. My question was 'Need i save client certificates at CA server?'. Yes i need. 18:19 < NoOova> Client keys i dont need. 18:19 <@krzie> its not so much the client certs 18:19 <@krzie> theres other stuff in the CA setup 18:19 <@krzie> serial file and whatnot 18:19 <@krzie> backup the entire CA setup if it matters 18:20 <@krzie> if its literally a home setup with a couple clients then like apollo13 said you could always just reissue certs 18:20 < apollo13> NoOova: if you are running a serial business you would not have the users keys in the first place 18:20 < apollo13> s/serial/serious/ ups ;) 18:20 < apollo13> to much serial in here 18:20 <@krzie> yes ^ that 18:20 < NoOova> Thank you guys! 18:21 <@krzie> no problem =] 18:22 -!- mode/#openvpn [+v apollo13] by krzie 18:24 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 18:26 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 18:26 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has quit [Quit: Leaving] 18:28 -!- Champi [Champi@94.125.163.77] has joined #openvpn 18:36 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has joined #openvpn 19:18 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Quit: vagina] 19:19 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 19:22 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 19:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 19:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 19:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 19:33 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 19:37 -!- somis [~somis@167.160.44.221] has quit [Quit: Leaving] 20:16 -!- NoOova [~NoOova@unaffiliated/nooova] has quit [Ping timeout: 276 seconds] 20:31 -!- DeathOverLord [~Think-Pan@unaffiliated/deathoverlord] has joined #openvpn 20:31 < DeathOverLord> question 20:32 < [Mew2]> please ask 20:32 < DeathOverLord> does a vpn hide ur ip just when u surb the web 20:32 < DeathOverLord> what about when u d.l on bit torrents 20:32 < DeathOverLord> ? 20:32 < [Mew2]> depending on how you have got it set up, it can route all traffic through the VPN's IP 20:35 < DeathOverLord> i did a check on whats my ip it showed different ip 20:43 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 20:46 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 20:47 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 20:55 -!- yoink [~yoink@66.171.168.10] has joined #openvpn 20:57 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.3/20151223140742]] 21:17 <@krzie> also it depends what you mean by "hide your ip" 21:18 <@krzie> it hides it from the server you connected to... but you're still traceable by governments, and your vpn provider, and whatnot 21:18 <@krzie> a vpn is not a misattribution network, its just a vpn 21:18 <@krzie> it encrypts your traffic between 2 points, nothing more 21:19 <@krzie> its possible to modifty your default route to go over the vpn, in which case all your traffic goes over the vpn 21:19 <@krzie> modify* 21:23 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 21:27 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Ping timeout: 240 seconds] 21:34 -!- tobinski___ [~tobinski@x2f564dd.dyn.telefonica.de] has joined #openvpn 21:34 -!- weox [uid112413@gateway/web/irccloud.com/x-dkrovavykylgjcud] has quit [Quit: Connection closed for inactivity] 21:37 -!- tobinski_ [~tobinski@x2f5d9ff.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:54 -!- NP-Hardass is now known as gokturk-home 21:55 -!- gokturk-home is now known as NP-Hardass 22:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:01 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 22:24 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 22:30 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Ping timeout: 246 seconds] 23:08 -!- ShadniX [dagger@p5DDFC156.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:10 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has joined #openvpn 23:11 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:45 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] --- Log closed Fri Jan 08 00:09:11 2016 --- Log opened Fri Jan 08 16:18:50 2016 16:18 -!- ecrist [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 16:18 -!- Irssi: #openvpn: Total of 239 nicks [9 ops, 0 halfops, 5 voices, 225 normal] 16:18 -!- mode/#openvpn [+o ecrist] by ChanServ 16:18 -!- Irssi: Join to #openvpn was synced in 3 secs 16:19 < _FBi> is your nmap working? 16:19 < Protagonistics> it's working. picks up other ports open fine 16:20 < Protagonistics> lol, the topic here does say "your problem is probably firewall" 16:22 < Protagonistics> ok. so I'll open the port with -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT 16:23 < _FBi> you had no firewall rules 16:23 < _FBi> ie, no firewall 16:23 < Protagonistics> if I had no firewall, then it should just work 16:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 240 seconds] 16:24 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:24 < _FBi> *shrug* 16:25 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:26 -!- manhaton [~weechat@unaffiliated/m10t] has quit [Quit: asta.lue.go/Quitting] 16:27 -!- yoink [~yoink@unaffiliated/yoink] has left #openvpn ["WeeChat 1.3"] 16:27 < _FBi> Protagonistics, try slowing down the nmap 16:28 < _FBi> udp isn't like tcp. it might not reply 16:28 < Protagonistics> hmm. that would also make sense 16:28 < _FBi> https://nmap.org/book/man-port-scanning-techniques.html 16:28 <@vpnHelper> Title: Port Scanning Techniques (at nmap.org) 16:30 -!- manhaton [~arby@unaffiliated/m10t] has joined #openvpn 16:31 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection] 16:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 16:42 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn 16:43 -!- somis [~somis@167.160.44.200] has joined #openvpn 16:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 16:47 -!- zamber [~zamber@dynamic-78-8-1-13.ssp.dialog.net.pl] has quit [Ping timeout: 276 seconds] 16:58 -!- somis [~somis@167.160.44.200] has quit [Quit: Leaving] 17:00 < gribib> ..some one can explane to me the why im loosing connection when openvpn is doing key renegotiate for up to 5-6 sek? 17:00 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has quit [Quit: Msg] 17:00 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has joined #openvpn 17:06 -!- somis [~somis@167.160.44.222] has joined #openvpn 17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:21 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 17:30 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has quit [Changing host] 17:30 -!- lsh [~lsh@unaffiliated/ish] has joined #openvpn 17:31 -!- lsh [~lsh@unaffiliated/ish] has quit [Changing host] 17:31 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 17:32 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 17:34 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 17:36 -!- klow [~klong@c-73-53-31-109.hsd1.wa.comcast.net] has quit [Quit: This computer has gone to sleep] 17:37 -!- toli [~toli@ip-62-235-238-241.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 17:41 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has left #openvpn [] 17:42 -!- toli [~toli@ip-62-235-214-151.dsl.scarlet.be] has joined #openvpn 18:08 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:15 -!- lsh [~lsh@unaffiliated/lsh] has quit [Quit: Msg] 18:19 -!- leo2007 [~leo2007@128.199.230.246] has quit [Quit: happy hacking] 18:22 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 18:24 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 18:47 -!- teksimian [~chatzilla@209-197-136-112.cpe.distributel.net] has joined #openvpn 18:47 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Remote host closed the connection] 18:49 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 19:26 -!- teksimian [~chatzilla@209-197-136-112.cpe.distributel.net] has quit [Ping timeout: 265 seconds] 19:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 19:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:40 -!- manhaton [~arby@unaffiliated/m10t] has quit [Quit: Leaving] 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 20:09 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 20:17 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 20:24 -!- somis [~somis@167.160.44.222] has quit [Quit: Leaving] 20:29 -!- dazo is now known as dazo_afk 21:00 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Ping timeout: 276 seconds] 21:04 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 21:07 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 21:12 -!- marlinc_ [~marlinc@unaffiliated/marlinc] has joined #openvpn 21:13 -!- Netsplit *.net <-> *.split quits: eSgr, tekk, deed02392, Neighbour, ShadniX, marlinc, Nik05, nomad_fr, sigsts, d10n, (+4 more, use /NETSPLIT to show all of them) 21:13 -!- marlinc_ is now known as marlinc 21:15 -!- Netsplit over, joins: ketas 21:22 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 21:23 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has joined #openvpn 21:23 -!- deed02392 [~deed02392@unaffiliated/deed02392] has joined #openvpn 21:23 -!- debdog [~debdog@HSI-KBW-091-089-090-057.hsi2.kabelbw.de] has joined #openvpn 21:23 -!- Neighbour [neighbour@84-245-42-111.dsl.cambrium.nl] has joined #openvpn 21:23 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn 21:23 -!- tekk [~me@185.17.149.149] has joined #openvpn 21:23 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has joined #openvpn 21:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:24 -!- eSgr [~eSgr@priv.is-infra.net] has joined #openvpn 21:32 -!- tobinski___ [~tobinski@x2f561b8.dyn.telefonica.de] has joined #openvpn 21:36 -!- tobinski_ [~tobinski@x2f564dd.dyn.telefonica.de] has quit [Ping timeout: 264 seconds] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:14 -!- showaz [~showaz@unaffiliated/showaz] has quit [] 22:21 < excalibr> Is it possible to to pass the ip address and port num of vpn server you're connected to external script? 22:24 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has quit [] 22:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:26 < excalibr> Got it. Found bunch of useful env vars in openvpn man 22:30 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 264 seconds] 22:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:32 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:42 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has quit [Read error: Connection reset by peer] 22:42 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has joined #openvpn 22:45 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 22:49 -!- james41382_ is now known as james41382 23:06 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:07 -!- ShadniX [dagger@p5DDFED6D.dip0.t-ipconnect.de] has joined #openvpn 23:10 -!- leo2007 [~leo2007@2400:6180:0:d0::1f7:a001] has joined #openvpn 23:54 -!- weox [uid112413@gateway/web/irccloud.com/x-ybkujunyjigqxroj] has quit [Quit: Connection closed for inactivity] --- Day changed Sat Jan 09 2016 00:02 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 00:10 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds] 00:16 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 00:23 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 00:45 -!- imrekt is now known as rekt 00:45 -!- rekt is now known as imrekt 01:00 -!- arthar360 [~arthar360@123.252.241.46] has joined #openvpn 01:55 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 01:56 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 02:30 -!- user123irc [~quassel@78-62-111-164.static.zebra.lt] has joined #openvpn 02:34 < user123irc> hello wanted to ask why http://freevpn.me/ is offline ? 03:01 -!- arthar360 [~arthar360@123.252.241.46] has quit [Quit: Leaving] 03:02 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 03:25 < f0o> user123irc: ask freevpn.me, what does OpenVPN has to do with it? 03:29 -!- AfroThundr [~AfroThund@2601:147:c001:6667:ec37:e2e8:a4be:a70c] has quit [Read error: Connection reset by peer] 03:41 -!- AfroThundr [~AfroThund@2601:147:c001:6667:fd06:1a9a:23b6:18b8] has joined #openvpn 03:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 04:27 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:32 -!- lsh [~lsh@unaffiliated/lsh] has quit [Quit: Msg] 04:33 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:35 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:39 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Client Quit] 04:42 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:49 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:51 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:58 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:59 -!- ^cj^ is now known as ^CJ^ 05:00 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Client Quit] 05:05 -!- MrPockets [~John@unaffiliated/mrpockets] has quit [Ping timeout: 245 seconds] 05:07 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:07 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 05:16 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 05:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.4-dev] 05:38 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 276 seconds] 05:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 05:51 -!- ^CJ^ is now known as ^cj^ 06:05 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 06:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:15 -!- shiriru [~shiriru@46.10.54.164] has quit [Quit: Leaving] 06:48 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 06:54 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:27 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 07:28 -!- penguinguru [~penguingu@120.146.12.20] has quit [Quit: Cya!] 07:33 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 07:37 -!- toli [~toli@ip-62-235-214-151.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 07:44 -!- toli [~toli@ip-62-235-221-42.dsl.scarlet.be] has joined #openvpn 07:45 -!- user123irc [~quassel@78-62-111-164.static.zebra.lt] has quit [Remote host closed the connection] 07:52 -!- somis [~somis@167.160.44.220] has joined #openvpn 07:54 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 08:24 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 08:35 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 09:18 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has left #openvpn [] 09:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:22 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has joined #openvpn 09:23 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 09:23 -!- lsh [~lsh@unaffiliated/lsh] has quit [Client Quit] 09:24 < gribib> evening ppl... 09:25 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:25 < gribib> im having a issue with connection drop while renegotiation, is thi s a known issue? 09:25 -!- Alexendoo [~Alex@macleod.io] has joined #openvpn 09:25 -!- ohsnap is now known as ohhsnap 09:26 -!- ohhsnap [~ohhhhhhh@trivialand/guesser/ohsnap] has quit [Quit: Leaving] 09:26 -!- Alexendoo [~Alex@macleod.io] has left #openvpn ["Leaving"] 09:45 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 09:47 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 09:55 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 10:01 -!- alexutzu01x [~home@86.123.122.188] has joined #openvpn 10:02 < alexutzu01x> hi all 10:02 < alexutzu01x> somewone here 10:02 < alexutzu01x> ? 10:03 -!- bruxC [~bruxC@c-50-133-168-20.hsd1.nh.comcast.net] has joined #openvpn 10:14 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 10:17 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 10:18 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 10:19 -!- alexutzu01x [~home@86.123.122.188] has left #openvpn ["Ex-Chat"] 10:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 10:23 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 10:34 -!- bruxC [~bruxC@c-50-133-168-20.hsd1.nh.comcast.net] has quit [Quit: Leaving] 11:09 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 11:12 -!- weox [uid112413@gateway/web/irccloud.com/x-kqtjjykkdtwlhgkn] has joined #openvpn 11:21 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:22 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 11:25 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 11:25 -!- early` [~early@105.ip-167-114-152.net] has quit [Ping timeout: 250 seconds] 11:31 -!- early [~early@2607:5300:100:200::160d] has joined #openvpn 11:34 -!- somis [~somis@167.160.44.220] has quit [Quit: Leaving] 11:47 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Remote host closed the connection] 11:47 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 11:49 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:05 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 12:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 12:18 -!- somis [~somis@167.160.44.201] has joined #openvpn 12:39 < mete> does anyone know of a cipher speed list for windows openvpn implementation? 12:51 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 240 seconds] 12:52 <@ecrist> mete: openssl has a performance option 12:52 <@ecrist> https://www.openssl.org/docs/manmaster/apps/speed.html 12:52 <@vpnHelper> Title: OpenSSL (at www.openssl.org) 12:53 < mete> I know ecrist, for linux this is no prob, but I don't have openssl on my win machines... 12:55 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:58 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn 13:18 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 13:59 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 14:05 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has joined #openvpn 14:20 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 14:22 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 240 seconds] 14:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-knfysvojlluudprq] has quit [Quit: Connection closed for inactivity] 14:26 -!- James_Epp [d8249203@gateway/web/freenode/ip.216.36.146.3] has joined #openvpn 14:27 < James_Epp> !welcome 14:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:27 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:27 < James_Epp> !man 14:27 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 14:28 < James_Epp> !goal 14:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:28 < James_Epp> !howto 14:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:38 -!- pk12 [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 14:41 -!- KindOne [kindone@freenude/topless/KindOne] has joined #openvpn 14:42 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 14:44 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 14:44 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Quit: Quit] 14:45 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 14:45 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 14:46 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 14:47 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 15:09 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 15:35 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 15:38 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 15:40 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 15:47 < James_Epp> Any help? I'm trying to do the quick and dirty static key mini-howto. I setup my config file with the remote, dev tun, ifconfig, and secret parameters. But on my windows client I get "options error: specify only one of --tls-server, --tls-client, or --secret" 15:48 <+apollo13> show your whole config 15:48 < James_Epp> !configs 15:48 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:48 < James_Epp> !paste 15:48 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:49 < James_Epp> +apollo13: https://bpaste.net/show/00cdd465194d Thanks! :) 15:50 -!- KindOne [kindone@freenude/topless/KindOne] has left #openvpn [] 15:52 <+apollo13> James_Epp: and how are you trying to run that? 15:53 <+apollo13> ie console or some gui? 15:54 < James_Epp> apollo13: Right click and use the context menu option. 15:54 <+apollo13> James_Epp: might be that the client adds --tls-client on the cmd line 15:54 < James_Epp> so console I suppose would be it. 15:55 <+apollo13> run openvpn manually in the console 15:56 < James_Epp> +apollo13: I opened up CMD as admin, cd to bin directory, "openvpn.exe c:\users\user\desktop\client.ovpn" . Same error. 15:57 <+apollo13> James_Epp: what happens if you comment "client" 15:58 <+apollo13> ah client is acronym for tls-client + pull 15:58 <+apollo13> there you go… 15:59 < James_Epp> So comment it out? 15:59 <+apollo13> yes 15:59 < James_Epp> and it works. 16:00 < James_Epp> I think the guides online need to be updated. I had to make a couple wild guesses on this stuff. 16:00 <+apollo13> mhm, maybe, though if you had actually read the manpage for the options you used instead of guessing you would have seen that ;) 16:01 <@plaisthos> apollo13: have you seen that thing? 16:01 <@plaisthos> that is huge, nobody that much text! 16:01 <+apollo13> plaisthos: yes, I read it from top to bottom once 16:01 <+apollo13> there are amazing options in openvpn 16:01 <@plaisthos> apollo13: I know :d 16:01 <+apollo13> including internal paket filters and what not 16:01 <@plaisthos> apollo13: and not all of them are document 16:01 <+apollo13> the ability to split the network into pool and static config etc 16:01 <@plaisthos> apollo13: I never the man page in whole 16:02 <+apollo13> well, it is an interesting read 16:02 -!- Uranio [~Uranio@euro217.vpnbook.com] has joined #openvpn 16:04 < James_Epp> I kinda feel insulted by that, because I would expect that there is a guide online and I read that, I shouldn't be told to RTFM. 16:04 < James_Epp> >offficial instructions don't work >did you read the man page? >uhhhhhhh no........ 16:04 <+apollo13> James_Epp: curious, which "official" instructions? 16:05 < James_Epp> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 16:05 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 16:05 < James_Epp> https://openvpn.net/index.php/open-source/documentation/howto.html#quick 16:05 <@vpnHelper> Title: HOWTO (at openvpn.net) 16:05 <+apollo13> James_Epp: well and why didn't you use that official doc then and added "client" to your config? 16:05 < James_Epp> I did. 16:05 <+apollo13> ?? 16:05 < James_Epp> I used the sample config and modified the options it told me to. 16:05 -!- Uranio [~Uranio@euro217.vpnbook.com] has quit [Read error: Connection reset by peer] 16:06 <+apollo13> James_Epp: read the first line of the sample config 16:06 <+apollo13> you edited the wrong sample config 16:06 <+apollo13> "# for connecting to multi-client server. #" 16:06 < James_Epp> There's only one sample config. 16:06 <+apollo13> this is surely never for a static key setup 16:06 <+apollo13> that may be, but it is not for static key setup 16:06 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 16:06 <+apollo13> and nowhere on that documentation link you send did it suggest to edit a sample file but write a new one instead 16:07 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 16:07 < James_Epp> Well, it's not a step by step like the howto.html link is. So I used both in tandem. 16:08 -!- allizom [~Thunderbi@95.234.175.213] has quit [Client Quit] 16:08 <+apollo13> not step by step? it lists a way to generate the key and the full minimal config files you need ;) but may that as it be, at least the doc is not wrong 16:10 < James_Epp> Even using it, I can't ping the 10.8.0.1 from the client and I can't ping the 10.8.0.2 from the server. 16:11 <+apollo13> all firewalls disabled or proper exception rules added? 16:11 < James_Epp> Which firewalls would you recommend checking? Firewalls on windows clients, or firewalls that are internet facing? 16:12 <+apollo13> if the tunnel is up then only the firewall on your machine is relevant 16:12 <+apollo13> also increase verbosity and check the output 16:13 < James_Epp> turned off windows firewall, no change. Is that the verb option? 16:13 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer] 16:13 <@plaisthos> James_Epp: hwo about readin the manpage what --verb does? 16:14 < James_Epp> I was litterally just about to look it up, m80 16:14 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 16:15 <@plaisthos> James_Epp: don't get me wrong, but on irc, people tend to help "people who help themselves" 16:15 <@plaisthos> if I get the impressin that someone wants to spoon fed I usually loose all interest 16:15 -!- M4rc3l [~xxx@unaffiliated/m4rc3l] has left #openvpn [] 16:19 -!- James_Epp [d8249203@gateway/web/freenode/ip.216.36.146.3] has quit [Quit: Page closed] 16:42 <@krzie> hey guys =] 16:42 <@plaisthos> krzie: hey 16:42 <@krzie> ltns bro hows it been 16:42 <+apollo13> ? 16:46 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 16:57 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has quit [Quit: Leaving] 17:10 < gribib> any of you guys know what the cpu consuming bit is on the rekeying process in openvpn? apparently is the BCM4706 to small?! 17:10 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 17:11 <+apollo13> whatever that is 17:12 < gribib> BCM4706 = 600 MHz MIPS32® 74K superscalar CPU 17:12 <+apollo13> ah, no idea, I am running openvpn mainly on >3ghz CPUs 17:13 <+apollo13> not sure why rekeying would be more intensive than actual connection creation though 17:13 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 17:13 < gribib> cpu goes to 100% while rekeying and connection is droed for 5-6 sek 17:13 < gribib> droped* 17:16 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Ping timeout: 260 seconds] 17:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:27 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 17:31 -!- apollo13 [apollo13@django/committer/apollo13] has left #openvpn ["Leaving"] 17:32 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Read error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac] 17:33 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 17:35 <@krzie> gribib: ya sucks huh 17:35 <@krzie> i have some voip phones that do the same thing 17:36 <@krzie> (because i choose to use 4096 keys and 4096 dh) 17:36 <@krzie> my old phones take 15 seconds and the new ones take like 5-6 like yours 17:36 < gribib> .. and there is nothing to do...and yeah its 4096...:( 17:36 <@krzie> you could make it reneg less often if you want 17:37 < gribib> not in control of the server....:( 17:37 < gribib> have tryed.. 17:37 <@krzie> hah you dont have one of my phones do you? :-p 17:38 < gribib> hehe nope 17:38 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 17:39 < gribib> ... just whanted to know what causes it.... but i can find anything descriping the process 17:39 <@krzie> ahh 17:39 < gribib> but i could imagine it have something to do with generating keys... 17:39 <@krzie> !forwardsecurity 17:39 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 17:40 <@krzie> !dh 17:40 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits] 17:40 <@krzie> i guess you figured out the problem much faster than me then 17:41 <@krzie> i thought it was random network issues 17:41 < gribib> well used some a couple of days... 17:41 <@krzie> then FINALLY one day i figured out i was overpowering the cpu with reneg, so i set to reneg every minute to test and it was definitely that 17:41 <@krzie> lol ya i didnt figure it out for over a year 17:42 < gribib> hehe wow... 17:42 <@krzie> i knew there was *something* going on, but i have an entire darknet the calls are going over 17:42 <@krzie> so i didnt pinpoint the issue to the end devices 17:43 <@krzie> if it was just a server with some phones it would have been much easier to know ;] 17:44 < gribib> .. if it was posible to use less cpu power and make it calculate longer i wouldnt have any problems... because it can use the old key for 1 hour while the new one is build 17:44 <@krzie> i agree, would be nice 17:45 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 17:45 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 17:46 < gribib> well thx m8 for clarifying things.... nice to know im not the only one with the problem... unfortunately 17:47 < gribib> is this something dev is seeing as a problem and trying to "fix" 18:04 <@krzie> im pretty sure it is not, as it is fairly rare to use such weak cpus and also need realtime traffic without being able to handle a couple seconds of pause 18:04 <@krzie> but to be fair i am not sure, i'll ask them 18:05 <@krzie> is your use case also voip? 18:06 < gribib> both... also have a service using a sync process 18:07 < gribib> and if this sync is interrupted does it has to be restarted... 18:07 <@krzie> ouch 18:08 <@krzie> ya thats worse than my 5 seconds of garbage noise 18:08 <@krzie> so your sync process has to restart hourly 18:08 <@krzie> that sucks 18:08 < gribib> but the thing that puzzels me is when the vpn link is up i can run upto 25Mbit 18:08 < gribib> ^^ yes 18:08 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 18:09 < gribib> its only the renegotiation that bugs me.... 18:09 < gribib> and my link usage is max 1Mbit 18:11 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 18:14 <@krzie> well link speed is a totally different subject 18:15 <@krzie> i asked in the dev channel, we'll see if anybody pops in any time soon 18:17 < gribib> :) super thx 18:30 < gribib> did a opensll speed test of system... "rsa 4096 bits 0.638125s 0.009025s 1.6 110.8" 18:31 < gribib> while i did the test the cpu se 100% but i didnt lose the vpn connection at that time... so this mean its a process in the openvpn program 18:33 < gribib> its a process in the openvpn thats proping the connection 18:33 < gribib> droping* 18:38 <@krzie> i believe openvpn blocks during reneg 18:38 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has joined #openvpn 18:39 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 18:43 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 18:44 < gribib> or waiting for the while its calling a process in the openssl for building the new key.. 18:46 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:47 < gribib> but openvpn does have a transistion-windows where both old and new key can work at the same time.... so such a process should be run in the background... 18:48 <@krzie> makes sense to me 18:54 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 19:07 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 19:09 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:15 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:39 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 19:41 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:42 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 19:51 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:54 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:54 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Read error: Connection reset by peer] 19:55 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 20:14 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:15 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 20:15 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 20:15 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:16 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 20:16 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:40 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 21:19 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 21:22 -!- chachasmooth [~chachasmo@p5B125BC8.dip0.t-ipconnect.de] has joined #openvpn 21:23 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 21:26 * krzie slaps ecrist around a bit with a large fishbot 21:31 -!- tobinski_ [~tobinski@x2f5df31.dyn.telefonica.de] has joined #openvpn 21:34 -!- weox [uid112413@gateway/web/irccloud.com/x-kqtjjykkdtwlhgkn] has quit [Quit: Connection closed for inactivity] 21:35 -!- tobinski___ [~tobinski@x2f561b8.dyn.telefonica.de] has quit [Ping timeout: 255 seconds] 21:35 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 21:37 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 21:41 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:46 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 260 seconds] 21:47 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:47 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:48 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 256 seconds] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:52 -!- wingman2 [~wingman2@web.innestech.net] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- joako [~joako@opensuse/member/joak0] has quit [Client Quit] 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:54 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:57 < wingman2> !welcome 21:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:58 < wingman2> I have a server that I use as a tunnel for internet access, but I also want to use it for clients so I can just access ssh behind a nat 21:58 < wingman2> Would I just add route-nopull to the client.ovpn or is there a more commonly used method? 22:05 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:47 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:53 < wingman2> It works I just was wondering about a better option 22:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 23:04 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 23:06 -!- ShadniX [dagger@p5DDFED6D.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:06 < jnewt> I'm getting 50-75KB/s transfer over vpn. internet plan is 15/3M on one end and 18/3M on the other. anyway to speed up transfer, or is this unrelated to the vpn? 23:07 < jnewt> speetest shows near advertised rates on both ends. 23:07 -!- ShadniX [dagger@p5DDFD56E.dip0.t-ipconnect.de] has joined #openvpn 23:10 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 250 seconds] 23:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 23:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 23:35 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-xgbjtbapoyhmcfyj] has joined #openvpn 23:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:57 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] --- Day changed Sun Jan 10 2016 00:04 -!- ShadniX [dagger@p5DDFD56E.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:05 -!- ShadniX [dagger@p5DDFFF93.dip0.t-ipconnect.de] has joined #openvpn 00:06 -!- pk12_ [~pk12@104.243.24.236] has joined #openvpn 00:08 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 264 seconds] 00:16 -!- pk12_ [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 00:20 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 00:37 -!- arlen [~arlen@jarvis.arlen.io] has quit [Remote host closed the connection] 00:47 < subzero79> wingman2, you can use def1 in the clients config, or use ccd to push different configs for clients 00:48 < subzero79> !bot 00:48 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 00:48 < subzero79> krzee, what sotfware you use for the bot? 00:48 < subzero79> or ecrist 00:58 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 01:17 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 246 seconds] 01:49 -!- weox [uid112413@gateway/web/irccloud.com/x-uykaiklsbdxkqkrn] has joined #openvpn 02:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:36 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 02:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 03:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 03:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-xgbjtbapoyhmcfyj] has quit [Quit: Connection closed for inactivity] 03:26 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 03:27 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 03:32 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has joined #openvpn 03:41 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:44 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has joined #openvpn 04:13 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 04:14 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:19 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:36 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:51 -!- jesopo [jess@lolnerd.net] has joined #openvpn 05:00 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 05:00 -!- ustn [~ustn@p4FDB1E49.dip0.t-ipconnect.de] has joined #openvpn 05:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds] 05:04 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has quit [Quit: ZNC - http://znc.in] 05:05 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has joined #openvpn 05:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:15 < gribib> hi ppl... 05:19 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 05:29 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:37 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 05:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:46 -!- peder [~peder@rubin.ifi.uio.no] has joined #openvpn 05:51 -!- ustn [~ustn@p4FDB1E49.dip0.t-ipconnect.de] has quit [Quit: ustn] 05:52 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 06:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:09 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:14 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:18 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:29 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:06 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 07:08 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 07:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:14 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 07:19 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 07:19 < kojin> hi all 07:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:21 < kojin> Since at work I've a very restrictive firewall, I want that openvpn listens on port 443 tcp. This may cause an error if I also have a webserver? 07:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:39 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 07:39 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Ping timeout: 255 seconds] 07:41 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn 07:53 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 07:56 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:04 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 08:13 -!- jesopo is now known as lost_the_game 08:13 -!- lost_the_game is now known as jesopo 08:14 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 08:19 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 08:19 <@plaisthos> kojin: look into port-share 08:20 < kojin> ok thanks 08:20 <@plaisthos> plaisthos: but without special care, yes 08:20 <@plaisthos> and also see 08:20 <@plaisthos> !tcp 08:20 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 08:20 < kojin> thanks plaisthos 08:25 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 08:26 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:34 -!- somis [~somis@167.160.44.201] has joined #openvpn 08:35 -!- somis [~somis@167.160.44.201] has quit [Remote host closed the connection] 08:37 -!- somis [~somis@167.160.44.201] has joined #openvpn 08:41 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 08:42 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 08:44 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:46 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 08:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:50 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 08:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 08:55 -!- pk12 [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 08:56 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 08:57 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 09:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 09:34 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has left #openvpn [] 09:44 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 09:49 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:21 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 10:35 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-znnamnicffrbizcx] has joined #openvpn 10:37 -!- Badimo [~iou@ppp-2-86-168-81.home.otenet.gr] has joined #openvpn 10:37 -!- shiriru [~shiriru@46.10.54.164] has quit [Quit: Leaving] 10:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 10:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:01 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:04 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 11:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 11:07 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:07 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 11:19 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Quit: bis später] 11:21 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 11:24 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Client Quit] 11:28 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 11:29 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:34 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 11:34 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:40 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 11:40 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:53 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 12:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:26 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 12:35 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 12:43 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 12:44 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 12:49 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 13:03 -!- kojin [~kojin@unaffiliated/kojin] has quit [Read error: Connection reset by peer] 13:04 -!- mgorbach [~mgorbach@pool-96-237-153-21.bstnma.ftas.verizon.net] has quit [Quit: ZNC - http://znc.in] 13:05 -!- mgorbach [~mgorbach@pool-96-237-153-21.bstnma.ftas.verizon.net] has joined #openvpn 13:45 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:46 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-znnamnicffrbizcx] has quit [Quit: Connection closed for inactivity] 13:51 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:51 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:13 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 14:31 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:36 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 14:56 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 14:57 -!- Toggi3 [jeff@he.ddosd.us] has joined #openvpn 14:59 < Toggi3> What do people suggest for managing openvpn users and certs? Or does everyone just do things in commandline and script their own thing? 15:00 < Toggi3> looking for things kind of turn key and easy for people to manage 15:01 -!- tilllt [~till@37.120.67.98] has joined #openvpn 15:03 < tilllt> hi people. i want to use the $route_vpn_gateway variable in a up script (on openwrt) but ‚env‘ doesnt show any additional variables to be set after a successfull connection is established. do i specifically have to configure the setting og env variables or is this a default behaviour? 15:18 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 15:27 -!- somis [~somis@167.160.44.201] has joined #openvpn 15:27 -!- somis [~somis@167.160.44.201] has quit [Remote host closed the connection] 15:27 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 264 seconds] 15:29 -!- somis [~somis@167.160.44.201] has joined #openvpn 15:43 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 15:44 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Client Quit] 15:46 < crane> Toggi3: script their own stuff. i use an ansible playbook to manage users and certs and bundle everything including configuration up in a single zip file 15:46 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 15:47 <@krzie> subzero79: 15:47 <@krzie> !version 15:47 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1. The newest version available online is 0.83.4.1. 15:47 < subzero79> thanks krzie 15:48 <@krzie> no problem 15:50 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 15:50 -!- tilllt [~till@37.120.67.98] has quit [Ping timeout: 255 seconds] 15:53 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Read error: Connection reset by peer] 15:54 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 15:57 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Quit: Leaving] 16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:17 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 16:23 -!- Exagone313 [exa@elou.world] has quit [Ping timeout: 255 seconds] 16:26 -!- Exagone313 [exa@elou.world] has joined #openvpn 16:28 <@krzie> Toggi3: well easy-rsa is popular for it 16:28 <@krzie> ssl-admin also exists 16:29 <@krzie> theres even some windows apps for managing certs 16:30 <@krzie> personally i use ssl-admin in most cases, and i also scripted up something for it for a company i run 16:31 -!- AfroThundr [~AfroThund@2601:147:c001:6667:fd06:1a9a:23b6:18b8] has quit [Read error: Connection reset by peer] 16:41 -!- AlmogBak_ [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 16:45 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 264 seconds] 16:47 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 16:51 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 16:55 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 17:04 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 17:07 -!- AlmogBak_ [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:18 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:23 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 17:43 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:50 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:53 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn 17:55 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has quit [Read error: Connection reset by peer] 18:00 -!- John [~john@unaffiliated/john] has joined #openvpn 18:00 < John> hey all 18:00 < John> im new to VPNs, and after setting mine up, it seems: 18:00 < John> 1) really quite slow, although usable 18:01 < John> 2) When i grab a VNC screenshot, about 25% of the screen downloads, then stops, then the whole VPN connection needs to be restarted before i can talk to that client again on the VPN 18:02 < John> The whole connection meaning client A who was grabbing the screen of client B 18:02 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 272 seconds] 18:04 < John> ok, er, it seems that once client A has grabbed a lot of data from client B, the whole VPN connection of client A becomes unusable 18:05 < John> Like, i can't do anything on the VPN anymore, like ive been rate-limited 18:05 < John> Is that possible? 18:06 < John> Seems like after ive recevied X amount of data from another client, i get blocked... 18:06 < John> (unless i disconnect and reconnect to the VPN) 18:09 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 18:23 < John> yeah it seems like after i send a certain number of bytes to another client, the VPN locks up 18:28 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 18:48 -!- grassass [grass@gateway/vpn/mullvad/x-rtfcxstxxmtaqmrn] has joined #openvpn 18:51 < John> I think its probably an MTU issue 18:51 < John> or fragment 18:51 < John> but i dont seem to have the mtu-test executable on any of my systems 19:12 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 19:13 -!- Ir0nY [~IronY@unaffiliated/irony] has joined #openvpn 19:16 <@krzie> mtu-test isnt an exec 19:16 <@krzie> its an openvpn config option 19:16 <@krzie> !man 19:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 19:16 -!- IronY [~IronY@unaffiliated/irony] has quit [Ping timeout: 260 seconds] 19:16 -!- Ir0nY is now known as IronY 19:18 < John> krzie, ah, i see, its a test you can only run when initiation a VPN connection, not to an existing connection 19:18 <@krzie> ya, same thing 19:18 < John> Even weirder, it can only be invoked from the command line - you cant add it to your config file (which is what i tried before, which led me to assume its an exec( 19:19 <@krzie> not true 19:19 <@krzie> maybe you typo'ed? 19:19 < John> ...maybe 19:19 < John> i didn't use "--" ? 19:19 < John> (in the config file) 19:20 < John> anyway, i dont think it matters - ive changed the MTU to 900 for both clients and the VPN server, and it made little difference 19:20 < John> I think i might need to fragment 19:21 < John> I would have thought openvpn would just figure out all these gory network details for me 19:21 <@krzie> !mtu 19:21 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 19:21 < John> oh ok thanks - ill check that guide out :) 19:21 <@krzie> ya you dont use -- in config file 19:21 <@krzie> !-- 19:21 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 19:21 < John> Than i must have made a typo i guess 19:22 < illuminated> is there a default port for the management feature? 19:24 < John> Ahh, there was an error in the syslog i hadnt read before: Options error: --mtu-test only makes sense with --proto udp 19:24 < John> So i guess im wasting my time with MTU stuff then :P 19:24 < John> Im using tcp 443 19:25 < John> I dont know if there are any UDP ports open at my work's firewall - is there a way to scan for that? 19:32 < illuminated> nmap 19:33 < illuminated> my guess would be, though, that if there are any open tcp/udp ports at your work's firewall, then they are already forwarded to whatever internal machines is providing services on those ports. 19:34 < John> i know how to nmap something - but i'd have to nmap, say, my own server will all ports open or something? 19:34 < John> Im trying to go out though, not it 19:34 < John> *in 19:34 < illuminated> ahh that's different 19:34 < John> I couldnt use the default UDP ports for openvpn because those ports were blocked 19:34 < John> so my first try - TCP 443 - worked 19:35 < illuminated> yeah that is https default port 19:35 < John> but it IS a little slow... perhaps UDP would be better (if i knew an open port) 19:35 < illuminated> that is what i was going to have you try 19:35 < John> I think it was you who suggested i use it about a week ago :) 19:35 < John> hehe 19:35 < illuminated> i don't recall that so i doubt it. 19:39 -!- toli [~toli@ip-62-235-221-42.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 19:45 -!- toli [~toli@ip-62-235-216-129.dsl.scarlet.be] has joined #openvpn 19:48 -!- John [~john@unaffiliated/john] has quit [Quit: Leaving] 19:49 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 20:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 21:19 -!- chachasmooth [~chachasmo@p5B125BC8.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 21:21 -!- chachasmooth [~chachasmo@p5B125AA1.dip0.t-ipconnect.de] has joined #openvpn 21:30 -!- tobinski___ [~tobinski@x2f5b2c2.dyn.telefonica.de] has joined #openvpn 21:34 -!- tobinski_ [~tobinski@x2f5df31.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:44 -!- weox [uid112413@gateway/web/irccloud.com/x-uykaiklsbdxkqkrn] has quit [Quit: Connection closed for inactivity] 21:51 -!- penguinguru [~penguingu@120.146.12.20] has quit [Ping timeout: 272 seconds] 21:55 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 22:27 -!- mnathani_ [~mnathani_@192.0.149.228] has joined #openvpn 22:27 < mnathani_> I am setting up openvpn, but the part about nat on the server is confusing me 22:27 -!- Badimo [~iou@ppp-2-86-168-81.home.otenet.gr] has quit [Ping timeout: 240 seconds] 22:28 < mnathani_> client is connected with openvpn tun0 ip: 192.168.128.6 22:28 < mnathani_> as well as eth0 ip: 10.10.1.254 22:29 < mnathani_> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to PUBLIC_IP 22:29 < mnathani_> will that work, or do I need to add the 10. range as well? 22:36 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 22:37 < illuminated> try it and see? 22:38 < jnewt> what can i do to get faster transfer rates over vpn? I have 15/3 and 18/3 bandwidth on each end, and am currently transferring a folder of files (9.52MB) with an estimated (by windows) remaining time of 40 minutes 22:39 < jnewt> it's jumping between 50 B/s and 1 KB/s 22:45 < jnewt> config: http://pastebin.com/yxLkxMNJ 22:56 < jnewt> i just tried using comp-lzo no and push "comp-lzo no" in my config, but that didn't seem to help 23:01 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 272 seconds] 23:07 -!- arlen [~arlen@jarvis.arlen.io] has left #openvpn ["exit"] 23:09 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 23:10 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 23:27 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 23:40 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:45 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:46 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] --- Day changed Mon Jan 11 2016 00:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:04 -!- ShadniX [dagger@p5DDFFF93.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:05 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has joined #openvpn 00:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:12 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has quit [Ping timeout: 245 seconds] 00:39 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 00:41 < mnathani_> I got the openvpn server and client going, but now my routed network behind the openvpn client is not working 01:36 -!- dazo_afk is now known as dazo 01:52 < illuminated> mnathani_, perhaps you have redirect-gateway set in the client or server configs 02:05 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 02:06 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:08 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:25 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 03:05 < mnathani_> turned out to be a firewall issue on the centos box 03:06 < mnathani_> illuminated: thanks though 03:07 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:08 -!- AlmogBaku [~AlmogBaku@79.177.15.253] has joined #openvpn 03:13 -!- allizom [~Thunderbi@95.234.175.213] has quit [Ping timeout: 250 seconds] 03:14 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 03:15 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:28 -!- AlmogBaku [~AlmogBaku@79.177.15.253] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:28 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 03:34 -!- HollowPoint [~quassel@95.144.182.39] has joined #openvpn 04:00 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer] 04:02 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Ping timeout: 240 seconds] 04:06 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 04:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 04:10 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has joined #openvpn 04:13 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 04:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 04:19 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: Textual IRC Client: www.textualapp.com] 04:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 04:31 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 04:32 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:35 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:49 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 04:54 -!- Changer90 [~quassel@217.160.177.68] has joined #openvpn 05:00 -!- Changer90 [~quassel@217.160.177.68] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 05:50 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 06:08 -!- OpenFerret [~Openferre@68.39-255-62.static.virginmediabusiness.co.uk] has joined #openvpn 06:09 < OpenFerret> Hi all, I'm having an openvpn issue on pfsense. I can set up a remote access server using SSL/TLS + User Auth with my own generated certs just fine, but when I reboot the pfsense box (to simulate an upgrade say) I then get TLS-Handshake errors when I try to reconnect remotely again. 06:10 < OpenFerret> Would anyone be able to advise if they've seen this sort of issue before? 06:10 < OpenFerret> (I'm also asking in the #pfsense channel as well, but not enough people familiar with openvpn) 06:11 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:18 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 06:18 < OpenFerret> !welcome 06:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:37 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 06:38 < ljvb> did someone renew their domain.. heh.. openvpn.com is up for sale y what appears to be a domain squatter 06:39 < allizom> openvpn.net 06:39 -!- johnny56 [~johnny56@unaffiliated/johnny56] has joined #openvpn 06:39 < ljvb> I though .com redirected to .net 06:39 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 256 seconds] 06:39 <@plaisthos> no 06:40 < ljvb> maybe I have just been awake for too long... and am not stuck in a giant sardine can 06:40 < ljvb> s/not/snow 06:40 < ljvb> now 06:40 < ljvb> f it.. I'll nap till I land 06:40 -!- weox [uid112413@gateway/web/irccloud.com/x-ratlzcfxmgossvdf] has joined #openvpn 06:43 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 06:46 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:55 -!- OpenFerret [~Openferre@68.39-255-62.static.virginmediabusiness.co.uk] has quit [Quit: Leaving] 06:57 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 07:30 -!- AlmogBaku [~AlmogBaku@37.26.146.217] has joined #openvpn 07:30 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:46 -!- AlmogBaku [~AlmogBaku@37.26.146.217] has quit [Ping timeout: 255 seconds] 07:49 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 07:50 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 07:52 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has joined #openvpn 07:52 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has quit [Client Quit] 07:53 -!- johnny56 [~johnny56@unaffiliated/johnny56] has quit [Ping timeout: 264 seconds] 07:53 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has joined #openvpn 07:55 -!- johnny56_ is now known as johnny56 08:03 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 08:17 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Read error: Connection reset by peer] 08:28 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 08:30 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 08:31 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 08:37 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds] 08:42 -!- Kireji [~nospam@unaffiliated/kireji] has joined #openvpn 08:43 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 08:44 < Kireji> running Tunnelblick 3.5.5 (build 4270.4461) on OSX latest/10.11.2 (15C50) - every time the computer wakes from sleep, tunnelblick tries to reconnect, and hangs. When I do a "sudo kill -9 openvpn", tunnelblick restarts the openvpn process and connects. 08:45 < Kireji> I installed tunnelblick without changing the System Integrity Protection in OS X 08:45 -!- wingman2 [~wingman2@web.innestech.net] has quit [Ping timeout: 245 seconds] 08:45 < Kireji> ideas? what should I do to report or work to fix this? 08:48 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 264 seconds] 08:48 <@plaisthos> Kireji: no idea, try the 3.6.6 version? 08:48 -!- juriadobalzac [~cpe@www.badcode.net] has quit [Quit: Lost terminal] 08:49 <@plaisthos> what does the log say? 08:49 <@plaisthos> !log 08:49 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 08:49 <@plaisthos> !logfile 08:49 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 08:56 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 09:01 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 09:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 09:15 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:19 < illuminated> don't set the loglevel to like 9 09:19 < illuminated> lol 09:19 < illuminated> oh and then forget to set it back 09:21 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 09:49 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 276 seconds] 09:51 -!- phreakocious [~phreakoci@64.71.143.122] has joined #openvpn 09:59 < Kireji> plaisthos: thanks, looking at logs 10:01 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 272 seconds] 10:33 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 10:39 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:55 -!- bMalum [~textual@194-118-82-152.adsl.highway.telekom.at] has joined #openvpn 10:56 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has joined #openvpn 10:57 -!- Ryushin [~Ryushin@carl.scheinercg.com] has joined #openvpn 10:58 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has quit [Max SendQ exceeded] 10:58 -!- StorageCluster [d42ff2b0@gateway/web/cgi-irc/kiwiirc.com/ip.212.47.242.176] has joined #openvpn 10:59 < StorageCluster> Hi :) I have some Questions about OpenVPN - if i want to create a tunnel - i do not have to add a device this will openvpn do for me right? 11:00 <@Eugene> openvpn will attempt to dynamically allocate a tun/tap device on startup, yes 11:00 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has joined #openvpn 11:00 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has quit [Client Quit] 11:05 < StorageCluster> Eugene - cool so if I place to config in /etc/openvpn (on Ubuntu/Debian) and restart the service the tunnel will be opened? 11:11 <@Eugene> That's the theory, yes 11:11 < bMalum> How can i get the tunnel more verbose? 11:12 < StorageCluster> bMalum - afaik you can add a line to the config in the /etc/openvpn 11:13 < bMalum> yep I know but could not find with googling atm :/ 11:13 < StorageCluster> Eugene is a pro here :) he can tell you for sure. 11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:26 -!- s34n [~chatzilla@104.152.131.130] has joined #openvpn 11:27 < s34n> I have a windows client that isn't creating routes for networks available through the vpn 11:28 < s34n> how do I tell the client to create those routes? 11:31 <@plaisthos> !push-route 11:31 <@plaisthos> hm 11:31 <@plaisthos> !push 11:31 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 11:31 <@plaisthos> i.e. push "route 1.0.0.0 255.255.255.0" 11:32 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 11:32 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 11:38 < s34n> I push the routes on the server. It wroks for other clients, but not for this client. 11:38 < s34n> *works 11:57 -!- jessec [~jessec@wsip-70-185-8-68.br.br.cox.net] has joined #openvpn 12:14 -!- ke4nhw [~ke4nhw@unaffiliated/xanthaos] has joined #openvpn 12:15 < ke4nhw> Can anyone give me more info on this error: Authenticate/Decrypt packet error: cipher final failed 12:15 < ke4nhw> I get this after Initialization Sequence Completed 12:17 < s34n> push route was failing because the client lacked permissions 12:17 < s34n> When run as Administrator, it worked 12:17 < s34n> ...kinda 12:18 < s34n> it creates the routes on the windows client. But tracert can't find the first hop 12:19 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 12:20 -!- John [c325d161@gateway/web/cgi-irc/kiwiirc.com/ip.195.37.209.97] has joined #openvpn 12:20 < John> hi all 12:21 < John> So im trying to set up my VPN 12:21 < John> I got it working, with issues, over TCP. I was unable to get it working over UDP 12:22 < John> So i have come back to work and using netcat, tested to see which port are open (out of work) via UDP. Turns out they all are 12:22 < John> But for fun im sticking with 443 for now 12:22 < John> I dont really know why im seeing TLS Error: TLS handshake failed 12:33 < John> What is the Local Options hash (VER=V4) and Expected Remote Options Hash? 12:34 -!- somis [~somis@167.160.44.201] has joined #openvpn 12:35 < John> Theres really not much useful info in the server logs :/ 12:42 -!- jerin [uid67648@gateway/web/irccloud.com/x-zenbhhfubufvossu] has joined #openvpn 12:44 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:45 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:47 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 276 seconds] 12:48 < John> Eesh, i have no idea 12:48 < John> Using TCP works, but i can send other data down UDP no problem 12:48 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 12:49 < John> like "netcat -ul 443" on the server, and "netcat server.com 443" on the client 12:49 < John> and that sends bytes of data just find 12:49 < John> *fine 12:54 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 12:55 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has joined #openvpn 12:55 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has quit [Max SendQ exceeded] 12:59 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 13:00 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:00 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Write error: Connection reset by peer] 13:02 < John> ok, new question 13:02 < John> is there a way to set up the connection between server and client via TCP, then all data sent back and forth is over UDP? 13:03 < John> Because i get the feeling that my network is looking for UDP VPN packets and dropping them or something 13:03 < John> (but it leaves TCP VPN packets alone) 13:03 -!- wingman2 [~wingman2@web.innestech.net] has joined #openvpn 13:04 < John> Is that possible? 13:07 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has joined #openvpn 13:17 -!- HollowPoint [~quassel@95.144.182.39] has quit [Ping timeout: 265 seconds] 13:32 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 13:33 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 13:36 -!- John [c325d161@gateway/web/cgi-irc/kiwiirc.com/ip.195.37.209.97] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:37 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 13:56 -!- pascas [~pascas@113.Red-88-3-58.dynamicIP.rima-tde.net] has joined #openvpn 13:57 < pascas> Hi 13:57 < pascas> i'm asking for help about importing ovpn files into a android device 13:57 < pascas> could anybody help me please? 14:06 -!- pascas [~pascas@113.Red-88-3-58.dynamicIP.rima-tde.net] has quit [] 14:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 14:24 -!- phreakocious [~phreakoci@64.71.143.122] has quit [Ping timeout: 246 seconds] 14:33 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 14:35 <@krzie> lol not in the 10 minutes you wait for help 14:44 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 14:45 < Neighbour> :) 14:54 -!- StorageCluster [d42ff2b0@gateway/web/cgi-irc/kiwiirc.com/ip.212.47.242.176] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 14:56 -!- bMalum [~textual@194-118-82-152.adsl.highway.telekom.at] has quit [Read error: Connection reset by peer] 15:04 <@plaisthos> meh 15:04 <@plaisthos> I probably could have helped :) 15:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Leaving] 15:32 <@krzie> lol ya i would think you could have 15:32 <@krzie> seeing as you made the app he wanted help with lol 15:32 <@krzie> too bad for him you also have a life and werent here waiting eagerly for his question 15:41 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:45 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 15:49 <@krzie> !c2c 15:49 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 15:49 <@vpnHelper> other clients 15:54 < ke4nhw> Okay I'm back and I found the solution to my question from earlier. It turns out to be a highly complex supercomputed variant of ID10T fault stacks 15:55 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 15:55 < ke4nhw> In other words I'm a multilayered Idiot... I went up on the AES on the server to 256, and I forgot to edit that one client config to match. Duuuuiieeeeee 15:56 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has joined #openvpn 15:56 <@syzzer> heh, right, was about to suggest 'incompatible cipher types' indeed (sorry, didn't notice your question earlier...) 15:57 < ke4nhw> No problem, sometimes ya just gotta look at the simple stuff 15:58 < ke4nhw> Besides this way I learned to dig deeper before I give up and search for help, I might just find the solution... 16:00 < ke4nhw> Funny enough, I thought of the solution on the way to a dr appt. When I got there, I checked the config, found the fault, made the edit, then connected to their public wifi and was able to establish a tunnel into my server that worked well... and it's secure enough that I don't fret it too much 16:00 -!- jerin [uid67648@gateway/web/irccloud.com/x-zenbhhfubufvossu] has quit [Quit: Connection closed for inactivity] 16:03 < ke4nhw> Now all I need is a hardware kill switch, remote trigger super-gaussing and thermite trigger system. 16:03 < ke4nhw> lol 16:07 <@syzzer> :') 16:09 < ke4nhw> At least I'm not paranoid... I originally considered wrapping my hard drives in nice, cushiony layer of C4, but I thought that might be just a tad too much... 16:09 < ke4nhw> But that's okay, I've got VPN now. I'm now invisible on the Internet! I am now anonymous, untraceable!!! Wooohooo! 16:10 < ke4nhw> Now I can do anything... I can even watch... wait for it... yes, Futurama!!! 16:13 < ke4nhw> Oh, and I can access my personal files on a public Internet connection safer than before... 16:16 * ke4nhw writes VPN on a sheet and pulls it over his head "You Can't See Meeeee!!!!!" 16:17 < ke4nhw> syzzer, on a more serious note, how many people actually come in here under the delusion that VPN = anonymity (sp?)? 16:18 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 16:19 <@syzzer> ke4nhw: I only follow this channel occasionally, but it seems most people understand that VPN does not necessarily provide anonymity 16:19 <@syzzer> most people just want to access their home network in a secure way 16:20 <@syzzer> or use the layer-2 features to play multiplayer games designed for a small LAN over the interwebs ;) 16:21 < ke4nhw> I've seen a mix, and some even leave here with the same delusion. They'll swear that their VPS never keeps logs and would never for any reason turn over those nonexisting logs to law enforcement. 16:22 < ke4nhw> Me, I'm just looking for a way to access my fileserver from untrusted networks in a way that limits the risk by minimizing my exposure. 16:23 <@syzzer> well, that' 16:23 <@syzzer> s what VPN was designed for :) 16:23 < thumbs> a VPN does hide your actual IP from some services, to some degree. 16:23 <@syzzer> thumbs: yes, so it depends on who you're hiding for whether that's enough 16:24 < ke4nhw> To some degree, yes, but I'm willing to bet any hacker worth their salt can still trace you back. Not being a hacker I can't say for sure, but there's no such thing as no trail. 16:25 < ke4nhw> I try to avoid taking on a mindset that I am somehow less visible on the net because of some technology. I'm just as visible, it just takes more work to get back to me. 16:27 < ke4nhw> So I focus on doing my best to protect my data: firewalling for the low to medium level data, and complete airgap for highly secure data (tax returns, bank statements, etc). 16:28 < ke4nhw> I only do the highly secure stuff at home, and when I'm away, I mostly use the VPN to deal with stuff that's not that sensitive, but I do still want to protect the integrity of the data and, to some degree, the confidentiality as well... 16:32 <@plaisthos> yes 16:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:10 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 17:14 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:17 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 17:25 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 17:27 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 17:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 17:34 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 17:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 17:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:46 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0] 17:46 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 17:49 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 276 seconds] 17:50 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 17:53 < ke4nhw> yes to what? 17:55 -!- fred`` [fred@earthli.ng] has joined #openvpn 17:58 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 18:07 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 265 seconds] 18:12 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 18:14 -!- dazo is now known as dazo_afk 18:16 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 18:19 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Client Quit] 18:19 -!- somis [~somis@167.160.44.201] has quit [Read error: Connection reset by peer] 18:21 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 18:21 <@krzie> hah thats funny you guys were talking about vpn vs anonymity at the same time i was explaining it on the forum 18:21 <@krzie> https://forums.openvpn.net/topic20676.html 18:21 <@vpnHelper> Title: OpenVPN Support Forum Do I need TOR with OpenVPN? : Off Topic, Related (at forums.openvpn.net) 18:21 -!- somis [~somis@167.160.44.210] has joined #openvpn 18:27 -!- Ryushin [~Ryushin@carl.scheinercg.com] has quit [Ping timeout: 260 seconds] 18:37 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 18:53 -!- Daimer [~Daimer34@CPEb4da2ae146cd-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has joined #openvpn 18:54 < Daimer> I am running CentOS 7 and if i have 2 configs (1 tcp and 1 udp) in /etc/openvpn ... how can i add them both to start as a service? 18:57 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 19:02 < illuminated> copy the main unit file to openvpn-tcp and also to openvpn-udp. Create 2 seperate server.conf files. One for tcp and one for udp. Alter the config file parameters in both unit files. 19:02 < illuminated> then systemctl start openvpn-tcp && systemctl start openvpn-udp && systemctl enable both 19:04 < illuminated> Daimer, ^ 19:16 -!- somis [~somis@167.160.44.210] has quit [Quit: Leaving] 19:34 -!- Ryushin [user@71.33.251.73] has joined #openvpn 19:52 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 19:52 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Client Quit] 20:07 -!- jessec [~jessec@wsip-70-185-8-68.br.br.cox.net] has quit [Ping timeout: 255 seconds] 20:50 <@krzie> actually i believe centos will just start every .conf in /etc/openvpn/ 20:51 <@krzie> did you try putting them both in /etc/openvpn with file extension .conf ? 21:15 < ke4nhw> Okay back 21:17 < ke4nhw> Catching up, yea I had to throw that out there earlier... I've heard it several times in regards to VPN's, that they make you anonymous or they make you absolutely bulletproof. Neither is true, but I'll tell you it's a right nice toy to have when you want to use a public network to access private files. At least the data stream is garbled. 21:19 -!- chachasmooth [~chachasmo@p5B125AA1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 21:20 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 21:20 < ke4nhw> But I do want to throw out a question: One thing I haven't been able to do with openvpn yet is giving a client access to the server's physical lan. In testing this, what I did was put my wifi bridge in a vlan that was isolated as possible from the server's vlan, so they were each on separate logical networks and separate subnets. However, they were both still behind the same physical gateway 21:20 < ke4nhw> device, even though each vlan in the router has its own gateway address 21:24 < ke4nhw> I tried to put the route push in that client's ./ccd file, put a reciprocal rule in the physical gateway's routing table making the server the gateway for the vpn's IP's, and added an appropriate entry to the server's iptables FORWARD chain. I still can't get it to work 21:24 < ke4nhw> Any suggestions? 21:26 < illuminated> SNAT on the vpn server? 21:27 < ke4nhw> snat? I'm familiar with nat, and that's not on the server, it's on the gateway router 21:27 < ke4nhw> I'm not familiar with snat 21:27 < ke4nhw> Is it the past tense of snot? 21:27 < ke4nhw> lol 21:28 < illuminated> source NAT 21:29 -!- tobinski_ [~tobinski@x2f561ba.dyn.telefonica.de] has joined #openvpn 21:29 < ke4nhw> no, the server isn't doing any NAT unless you consider that I use the ./ccd files to statically assign IP addresses to clients from the same subnet as the server's 10.147.93.0/24 21:30 < ke4nhw> Which is set as 'server 10.147.93.0 255.255.255.0 nopool 21:30 < illuminated> well, you need to have an SNAT rule that basically says for the clients in my vpn subnet rewrite the source address to be the LAN interface ip address on the vpn server. 21:31 < ke4nhw> So in essence bridge the two somehow? 21:31 < illuminated> it's not really a bridge 21:31 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has quit [Read error: Connection reset by peer] 21:32 < illuminated> to all your LAN machines the source address will be from the LAN ip address of your vpn server 21:33 -!- tobinski___ [~tobinski@x2f5b2c2.dyn.telefonica.de] has quit [Ping timeout: 255 seconds] 21:33 < ke4nhw> Now how would that work if I've got two clients, both connected at the same time, and both need network resources on the server side. They'd both be 10.0.0.10 (assume this the physical IP of the server), so how would this be handled on the return trip to get the traffic back to the correct client? 21:34 < illuminated> you create a static route on your default gateway that says that your vpn subnet is accessible through the LAN interface of your vpn server. 21:34 < ke4nhw> And isn't that what I'm doing in the gateway when I established a static route there for the return trip, with the destination being 10.147.93.0/24 and the gateway being 10.0.0.10? 21:35 < illuminated> no, it is not the same thing 21:35 -!- DArqueBishop [~drkbish@173.11.253.122] has joined #openvpn 21:36 < ke4nhw> So I will need the static route in my default gateway and I'll need this snat redirect in the server? 21:36 < illuminated> yes 21:36 < illuminated> afaik 21:37 < illuminated> the route in the default gateway is so that way when you try to ping the vpn client ips, the gateway will know what the next hop is to access that subnet. 21:37 < ke4nhw> Okay, I was getting confused when you said that other machines in the server's lan would see the client's IP address as the server's IP adress, which is in network both directions from the server to the machine and back to the server. 21:38 < illuminated> the SNAT is so that traffic destined for the local LAN through the tunnel will appear as it's all coming from the ip address of the LAN interface on your openvpn server. 21:38 < illuminated> what is the ip address of the LAN interface on your openvpn server? 21:39 < ke4nhw> Okay, just off hand, would you know how to set this up or where a document on this is at? I never saw any mention of this in the openvpn docs and I read them very heavily over the last several months. 21:39 < ke4nhw> 192.168.10.192 21:39 < illuminated> just a sec, lemme see if I can pull up something 21:41 < illuminated> ok, well when your clients try to access any other ip address on that subnet, the SNAT rule is designed to rewrite the source address from 10.whatever to 192.168.10.192. 21:42 < illuminated> https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7 21:42 <@vpnHelper> Title: How To Setup and Configure an OpenVPN Server on CentOS 7 | DigitalOcean (at www.digitalocean.com) 21:42 < illuminated> the important line in that tutorial is this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 21:44 < ke4nhw> Okay, it makes sense, similar to the way that your default gateway rewrites your internal IP address to your WAN address so the packet can find you on the return trip since IP's behind a NAT are "hidden" as far as lookups and routing are concerned. 21:45 < ke4nhw> Is that a better example or close enough that you can say I'm seeing the connections right in my head now? 21:45 < illuminated> right. your tunnel clients will all be using the ip of 192.168.10.192 to interact with your network despite what their assigned ip is in your vpn subnet. 21:46 < illuminated> yeah you're pretty much right 21:48 < ke4nhw> and the iptables will track the connections from the various clients and keep them separate by headers and/or frames so that two client's traffic don't get crossed in the act of both of them sharing a single forward IP address, similar to the way that one person in a home can be downloading software while another streams video, with all of the data actually coming into your home on a single 21:48 < ke4nhw> IP. 21:48 < ke4nhw> It actually makes sens now 21:48 < ke4nhw> sense even 21:48 < illuminated> yeah, it makes sense in my head but difficult to explain 21:48 < ke4nhw> Awesome, thanks illuminated 21:48 < illuminated> np 21:49 < ke4nhw> Now I just have to set up the test conditions again. Normally I keep the netbook in the same subnet as these machines to make things easier, but I will go in and make adjustments to isolate it in a separate vlan 21:50 < illuminated> cool, well have fun. 21:50 < ke4nhw> I will have fun playing when it's working or I'll have fun with the Haldol they'll give me if it fails... 21:50 < illuminated> lol 21:51 * ke4nhw dusts off his old straight jacket. 21:53 < ke4nhw> I do have another question for you. don't ask me why, mainly just to see if it can be done... In the client config where you have the statement 'remote 71.15.179.20 1194' I've often wondered if I could script the openvpn startup such that the script will ask you for an IP address before it calls openvpn which calls the config. I wonder if I can replace the IP address in that statement with an 21:53 < ke4nhw> environment variable and have it read in as openvpn starts... 21:54 < illuminated> no idea 21:55 < illuminated> that goes above my pay grade 21:55 < ke4nhw> Gotta admit that would be cool 21:55 < illuminated> oh for reference the reason why it's called source NAT (SNAT) is because you're changing the source address. The flip side is destination NAT or DNAT. It rewrites the destination(used for port forwarding) 21:56 < illuminated> that's how you can keep the 2 straight 21:56 < illuminated> just remember SNAT refers to changing source address and DNAT refers to changing the destination address. 21:57 < ke4nhw> Okay, I see now that the source nat is so that the other machines in the network know where the traffic has to go, and since the server's address is in network they can get there. 21:57 < illuminated> right 21:59 < ke4nhw> Awesome, same way my gateway changes the address from my wan address to my server lan address when I initiate a tunnel from outside the network: the port forwarding oon that one sealed it for me I am familiar with that and use it a bit. Just never encountered those particular terms as of yet. 22:00 < ke4nhw> So on top of possibly getting this client network access working I actually learned something tonight... That's what makes the whole day worth it. 22:05 < ke4nhw> I have known about nat but I never heard it broken down into source and destination. Maybe that would have been in my next set of classes that I'd have taken had Obama not cut financial aid and left me dangling lol 22:06 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 22:06 < ke4nhw> So thanks a million on that, and a million more for teaching me some new information! That actually just made my day; even if I still have trouble it'll be worth it for learning. 22:22 -!- jrgcombr [~Jorge@node-1w7jr9qqhtoc89xuqgysjhwky.ipv6.telus.net] has joined #openvpn 22:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:24 < illuminated> np..sorry i was busy 22:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:26 < illuminated> i found a new utility called easy2boot. I think it will allow me to put like hirens bootcd, trinity rescue disk, ubcd, systemrescuecd, and a few av rescue cds on the same bootable usb stick with a menu to choose which to boot. could be handy 22:29 < illuminated> anyway i was studying the docs on it 22:35 -!- vicethal [~ubuntu@68-200-143-174.res.bhn.net] has joined #openvpn 22:50 < ke4nhw> handy, that would be badass 22:52 < ke4nhw> might as well put Kali and LPS = Lightweight Portable Security, it's a version of Linux that is designed to run from flash and is mainly for high security while on the road. It's an Air Force developed distro 22:58 < illuminated> I'm toying with the idea of installing an older version of FreeNAS on an old Dell tower server with a 500 GB PATA drive in it, and using it to create an ISCSI LUN to mount on a VM of Server 2012 R2 to store WSUS updates on so I don't fill up my ESXi local datastore with them. 22:58 < illuminated> :) 23:00 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 23:01 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 23:01 < ke4nhw> I would say I'll miss all of the 50000 brain cells that just gave up the ghost and died, but something tells me they were part of my memory... er, what were we talking about? 23:03 < ke4nhw> I've never tried FreeNAS, or any type of NAS, I just threw a couple of nice sized hdd's into an EMachines tower with a Pentium Dual Core and 4G of ram and let it run Samba for my network, which is as close as I come to any type of NAS 23:03 < ke4nhw> Is there any distinct advantage of NAS over setting up a full linux box and Samba serving? 23:05 < Neighbour> less power use 23:05 < Neighbour> but that's about it 23:06 < Neighbour> (for those that are knowledgable enough to setup a box on their own) 23:07 < ke4nhw> Now just curious: will that new table and the postrouting rules have any effect on anything other than the client connections; it won't conflict with any of my standard chains? 23:08 < ke4nhw> I got no clue how to setup a NAS so I'll settle to setting up a CentOS box and running it headless as a fileserver. 23:09 < Neighbour> you might want to check out openfiler then 23:09 < Neighbour> (fak) 23:09 < Neighbour> erm, afk* :) 23:09 < ke4nhw> ok I'll google it, and thanks :) 23:19 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:20 < ke4nhw> I currently do not do any NAT on my linux machine, but I am going to start using the openvpn tunnel not only for accessing resources on the server itself, but also resources onthe local lan. Looking through the docs and talking to one of the openvpn peeps they said I needed to add a POSTROUTING line into my iptables. I don't even have a nat table established. Does anyone know if putting in 23:20 < ke4nhw> this table and adding this postrouting command will mess with anything else as far as the firewall goes, or will it only affect the intended machines (the vpn clients)? 23:22 < illuminated> if you do it correctly it will have the desired results 23:23 < illuminated> you can always do iptables -t nat -L 23:23 < illuminated> the default table listed when you do iptables -L is the filter table. 23:23 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:25 < ke4nhw> Okay, I shouldn't have anything on the NAT table I'd think, as of right now I'm not doing any nat on the server, at least not intentionally anyways. 23:27 < ke4nhw> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 23:27 < ke4nhw> that's the rule the CentOS docs say to put inthe firewall 23:29 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:32 -!- natarej [natarej@101.188.147.129] has joined #openvpn 23:33 < ke4nhw> Yep, all chains are empty in nat table and all policies are default accept (shows you how much I know about the nat side of iptables hehe) 23:37 -!- jrgcombr [~Jorge@node-1w7jr9qqhtoc89xuqgysjhwky.ipv6.telus.net] has quit [Ping timeout: 240 seconds] 23:40 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Quit: The Hero of EFnet must rest now.] 23:40 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 23:45 < illuminated> well, probably the output interface is not named eth0 anymore 23:47 < illuminated> so you would want to alter the command accordingly 23:47 < illuminated> ke4nhw, ^ 23:47 < ke4nhw> Any thoughts on this, and is this command sufficient for the nat to work? 23:48 < illuminated> i believe so provided you set the interface name in -o correctly 23:49 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 276 seconds] 23:49 < ke4nhw> I still running 6 so I still have eth0 till I upgrade 23:50 < ke4nhw> Awesome, main thing is it won't crash the iptables, but even so just in case I always set an at job for two minutes or so to stop iptables in case I do get stupid and lock myself out in the firewall lol 23:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:56 < illuminated> lol 23:58 < illuminated> i think you'll be alright 23:58 < ke4nhw> It's just a safety net I throw out. The way I see it is it's easier to wait 2 minutes for the firewall to go down than it is to lug a monitor and keyboard in there to hook up and fix it in the console --- Day changed Tue Jan 12 2016 00:00 < ke4nhw> And I've done it once before, I screwed up and deleted the wrong line and saved the edit with && so I was automatically locked out by the firewall 00:00 < ke4nhw> Ever since then I'll use that safety net. It's effective and it's safe 00:01 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:03 < ke4nhw> I guess everybody's got their own style. For example, despite all of the screeches of horror I get when I say this, I continue to do my administrative work by logging in as a regular user then su to root. If I'm in-network here in my local lan I'll just straight up root ssh in. 00:04 -!- ShadniX [dagger@p5481DCAE.dip0.t-ipconnect.de] has joined #openvpn 00:06 < c|oneman> is there a practical way of testing my vpn other than using another computer connected to cellular internet 00:06 < ke4nhw> Which is another reason my ssh doesn't listen to the eth0 interface, it only listens on the tun0 interface and accepts connections on ssh from only a few select clients that I control using a specific password protected key/cert pair which is kept on a microSD which stays tightly on my person unless I'm using it. 00:06 < ke4nhw> you can test it from within your network 00:07 < illuminated> c|oneman, you can test it with a computer on your LAN 00:07 < c|oneman> well, that works just fine, its accessing other machines once connected that's broken. 00:07 < ke4nhw> As long as you don't have client-to-client enabled, and as long as you're not giving access to the server's lan subnet or the client's lan subnet 00:08 < ke4nhw> If you do that and both the server and client are within the same subnet and/or vlan, you'll end up with a spanning tree issue 00:08 < c|oneman> my TUN instance is fine, my TAP one is borked 00:08 < c|oneman> it connects, but no traffic 00:08 < ke4nhw> TAP on Windows 7 maybe? 00:09 < ke4nhw> And does it completely connect to Initialization Sequence Completed? 00:09 < c|oneman> er, viscocity says "connected" 00:09 < c|oneman> Jan 12 1:08:23 AM: Initialization Sequence Completed 00:09 < c|oneman> yes. 00:10 < ke4nhw> Can your client ping the server's vpn address? 00:10 < ke4nhw> Should be .1 of whatever pool you setup 00:11 < c|oneman> well, since it's TAP, I can't differentiate between traffic following without the VPN's help if I'm testing locally 00:11 < c|oneman> so yeah, ping will work. Last I tried externally, It didn't. 00:11 < ke4nhw> And you should have that client's vpn address in the same subnet as the server's subnet so they can "see" each other... 00:12 < ke4nhw> Okay, so you can ping the server successfully? 00:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:13 < c|oneman> yes, but its the same subnet, so my pings work even when I'm disconnected from vpn 00:13 < ke4nhw> If so, then you will just need to adjust the firewall to account for any additional services you want to use through the tunnel, For example, you'll need to configure sshd to monitor on that interface and that subnet, and so on. 00:14 < ke4nhw> No that shouldn't be. In your server.conf file, what did you set as your address pool? 00:14 < ke4nhw> Likely was a line such as server 10.2.3.0 255.255.255.0 00:14 < c|oneman> server-bridge 192.168.7.28 255.255.255.0 192.168.7.240 192.168.7.250 00:15 < ke4nhw> That poses a whole new set of problems on testing that's outta my league. Yea, bridging you gave it an address on the physical network so it's either or... 00:16 < ke4nhw> illuminated, you got any experience on bridged mode? 00:16 < illuminated> nope, sorry. I just set up openvpn for the first time a week ago lol. I'm no expert. 00:16 < c|oneman> haha 00:17 < c|oneman> ill recruit a machine on the outside that I can Teamviewer in to for testing 00:17 < ke4nhw> there's a plan, but you'll have to give them keys and such 00:18 < c|oneman> yeah it will be on my local network 00:18 < c|oneman> well, I should rephrase 00:18 < ke4nhw> Better be someone you trust well, and then you should revoke the keys when you're done lol 00:18 < c|oneman> my ISP allows unlimited PPPoE sessions 00:18 < c|oneman> so I can create 'external users' at will 00:19 < ke4nhw> External users with a different IP address and on a network that is either physically or logically separated from the server? 00:19 < c|oneman> yeah. 00:20 < c|oneman> it gets another wan IP from the ISP 00:20 < ke4nhw> That outta have ya then :) 00:21 < ke4nhw> Stick around though let us know how it goes 00:24 < ke4nhw> brb gonna google the difference between MASQUERADE and SNAT, iptables man page mentions SNAT under the MASQUERADE entry so I'll look at it anyway 00:33 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 00:34 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:35 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Quit: foobar] 00:36 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has joined #openvpn 00:36 < bhuey> hi, anybody awak right now ? 00:37 < bhuey> I've got an Ubuntu installation and was hoping for some help 00:37 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 00:37 < debdog> *AWAKS 00:37 < bhuey> I think I have it configured correctly but my client is having problems connecting to it yet I still connections established in the syslog 00:37 < bhuey> hi 00:38 < bhuey> I mean, the server configured correctly, dont know about the client 00:38 < bhuey> configuring openvpn is bit obtuse 00:38 * bhuey newbie 00:39 < bhuey> I have a couple of error messages but I don't know what they mean 00:41 < rasengan> paste em 00:41 < rasengan> in a pastebin 00:42 < rasengan> after sanitizing it of any identifying content ;o 00:44 < bhuey> ok 00:45 < bhuey> I feel really stupid about having to ask people but I can't spend a lot ot time learning everything about openvpn 00:45 * debdog is a noob, too. got openvpn working but doesn't know why ;) 00:48 < c|oneman> yeah, you're gonna break it in 4 months and not know why, take it from mem 00:48 < bhuey> rasengan: http://pastebin.com/bzxXrU0D 00:48 < bhuey> only hting left there is IP addresses etc 00:49 < bhuey> ufw is y firewall and it's off for now 00:51 -!- atralheaven [~atralheav@5.122.166.86] has joined #openvpn 00:52 < atralheaven> Hello, how can I check when was the last time a user has connected to openvpn server? Thanks 00:53 < ke4nhw> I'd egrep the log file for that user's CN 00:53 < atralheaven> where is the log file? 00:53 < rasengan> bhuey you sure you have fw off 00:53 < bhuey> rasengan: that's both the client and server logs. Wasn't sure if you mentioned that you were volunteering to help 00:54 < bhuey> rasengan: ufw is disabled 00:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:54 < bhuey> not sure what other firewall could be in the way 00:54 < ke4nhw> should be /etc/openvpn/openvpn.log 00:55 < rasengan> whats goin on in your config bhuey 00:55 < bhuey> rasengan: post that as well ? 00:55 < ke4nhw> If you set up your server.conf correctly it should be appending to that file for you and keeping track of everything. 00:55 < bhuey> if so, give me a bit 00:56 < rasengan> try disabling tls-auth on both side and go from there 00:56 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:57 < bhuey> rasengan: http://pastebin.com/3F8nCRtL 00:57 < bhuey> ok 00:58 < bhuey> rasengan: tls-auth ta.key 1 00:58 < bhuey> That line in the client ? 00:58 < bhuey> It's commented out 00:59 < rasengan> yeah maybe just comment it out on both server and client 00:59 < bhuey> rasengan: yeah that worked but with error messages 00:59 < bhuey> rasengan: thanks, I really appreciate it 01:00 < bhuey> Authorization is failing etc 01:00 < illuminated> ;ns-cert-type server <--uncomment that in client.conf 01:00 < bhuey> the ; means it's commented out right ? 01:01 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 01:01 < illuminated> yeah 01:01 < bhuey> rasengan: http://pastebin.com/QybULUAK 01:01 < bhuey> rasengan: hold on... 01:02 < bhuey> rasengan: this is a OS X machine on the client btw so that you know 01:03 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 01:03 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:04 < rasengan> I think is your cert made properly 01:04 < bhuey> http://pastebin.com/ETMbXVT8 01:04 < bhuey> not sure 01:05 < bhuey> I followed the Ubuntu docs for that as best I as I could 01:05 < bhuey> https://help.ubuntu.com/community/OpenVPN 01:05 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com) 01:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:07 < bhuey> illuminated: hold on 01:08 < bhuey> same error 01:08 < bhuey> Removed a bunch of default stuff in the openvpn directory that i had forgotten about 01:09 < bhuey> Complains about a verify error 01:09 < bhuey> maybe I should redo the configs ? 01:09 -!- wingman2 [~wingman2@web.innestech.net] has left #openvpn [] 01:12 < rasengan> Probably doesn't matter but maybe try cipher bf-cbc 01:12 < rasengan> Like you have in your server config 01:14 -!- weox [uid112413@gateway/web/irccloud.com/x-ratlzcfxmgossvdf] has quit [Quit: Connection closed for inactivity] 01:16 -!- atralheaven [~atralheav@5.122.166.86] has left #openvpn [] 01:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 01:18 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 272 seconds] 01:24 < bhuey> rasengan: ca.cert has to be the same for both server and client ? 01:24 < bhuey> Was just looking up the error via search 01:25 < rasengan> Yah 01:25 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 01:28 < bhuey> rasengan: that helped it along 01:28 < bhuey> It's still waiting for the authorization 01:29 < bhuey> Same TLS error btw 01:35 < bhuey> The server and client are clearly able to talk but it's just not negotiating properly 01:35 < bhuey> Might have to call it a night on this and try again tomorrow 01:36 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Remote host closed the connection] 01:37 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 01:39 < bhuey> rasengan: thanks for the help tonight though 01:39 < rasengan> Sorry couldn't have been if more assistance. :( 01:39 < bhuey> rasengan: Im sure I screwed up in someway 01:39 < bhuey> I'll eventually figure it out 01:39 < bhuey> crossfingers 01:40 < rasengan> :) 01:47 < bhuey> rasengan: we got it a bit closer. I just need to do more research etc 01:51 -!- unforgiven512 [~unforgive@freebsd-dev.unforgivendevelopment.com] has quit [Quit: ZNC - http://znc.in] 01:56 < bhuey> This is Macbook btw for a client 01:56 < bhuey> Just updated to the beta release in case there was a bug of some sort preventing this from working 02:00 < bhuey> rasengan: I think it's a certificate problem. Will regenerate all of them 02:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:06 < ke4nhw> I'm still curious: In order to allow a client access to the server-side local lan, you need to push the server-side local lan route, which is the entire /24 or whatever cidr you're using (this one I can understand why), you've got to set up a postrouting rule in the nat table of the server's firewall, I see that now, and you've got to put the proper entries in the forwarding chain of iptables. 02:06 < ke4nhw> 02:09 < ke4nhw> What I don't understand is why it's requiring that everyone be in different subnets and why instead of 'ifconfig-push 10.8.0.5 255.255.255.0' it is saying we must use 'ifconfig-push 10.8.0.5 10.8.0.6' 02:10 < ke4nhw> And this when I am using a 'server 10.8.0.0 255.255.255.0 nopool' as my declaration 02:12 < ke4nhw> anyone have any idea on this, why the users have to be in separate subnets instead of the one subnet set aside for the vpn, and why I can only push a block of two addresses with only oneof them being useable instead of pushing the whole /24 as I'm doing now without server-side network inclusion? 02:15 < ke4nhw> Any takers on this one? 02:30 < Neighbour> ke4nhw: depends on your topology configuration...if you use "topology subnet", you can use "ifconfig-push " 02:30 < Neighbour> which is the recommended method nowadays 02:54 -!- HollowPoint [~quassel@62.254.184.134] has joined #openvpn 03:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:06 < bhuey> rasengan: my certs were fucked up man. Thanks :) 03:06 < bhuey> Got it working 03:06 < bhuey> ca.crt was different and the subsequent files I generated I'm sure were messed up 03:06 < bhuey> It's working now. Happy :) 03:08 < bhuey> almost 03:14 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] 03:16 -!- jesopo [jess@lolnerd.net] has joined #openvpn 03:16 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Quit: Quit] 03:17 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 03:17 < crane> I could be wrong (and I hope I am...) but should this not be the line to let openvpn on windows log into a logfile? log-append E:\\openvpn.log 03:17 < crane> OpenVPN is not creating any log file... It is just opening a shell where nothing is going to happen? 03:18 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 03:19 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 03:22 < bhuey> thanks :) 03:22 < bhuey> out of here 03:23 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has quit [Quit: leaving] 03:25 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] 03:27 -!- jesopo [jess@lolnerd.net] has joined #openvpn 03:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 03:58 -!- IamError [~tom@unaffiliated/iamerror] has quit [Ping timeout: 255 seconds] 03:58 -!- grassass [grass@gateway/vpn/mullvad/x-rtfcxstxxmtaqmrn] has quit [Ping timeout: 260 seconds] 03:58 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds] 03:58 -!- IamError [~tom@unaffiliated/iamerror] has joined #openvpn 04:00 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 04:10 -!- eliasp [~quassel@HSI-KBW-46-223-71-248.hsi.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer] 04:13 -!- eliasp [~quassel@HSI-KBW-46-223-71-248.hsi.kabel-badenwuerttemberg.de] has joined #openvpn 04:17 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Ping timeout: 250 seconds] 04:17 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 04:18 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 04:21 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 240 seconds] 04:21 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 04:32 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:33 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 04:35 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 04:43 -!- u0m3 [~u0m3@188.27.154.248] has quit [Ping timeout: 240 seconds] 04:52 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has joined #openvpn 04:58 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 05:02 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 245 seconds] 05:05 -!- Daimer [~Daimer34@CPEb4da2ae146cd-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer] 05:10 -!- dazo_afk is now known as dazo 05:25 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 05:29 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 05:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 05:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 05:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 05:37 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 05:39 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 05:45 -!- ^cj^ is now known as ^CJ^ 05:46 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 05:53 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has joined #openvpn 05:53 < bhuey> hi 05:53 < bhuey> back again :) 05:53 < bhuey> Anybody awake ? 05:53 < bhuey> client connects to the server successfully but I can't ping anyting 05:53 < bhuey> anything 05:54 < bhuey> 192.168.0.0/24 is my client network that gets NAT to the outside world 05:54 < bhuey> 192.168.10.0/24 for the server's LAN 05:55 < bhuey> would like to get on that LAN 05:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 05:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 05:58 -!- HollowPoint [~quassel@62.254.184.134] has quit [Remote host closed the connection] 06:01 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:07 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has quit [Remote host closed the connection] 06:10 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Read error: Connection reset by peer] 06:13 -!- davel [~davel@willingdon31.plus.com] has joined #openvpn 06:16 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 276 seconds] 06:17 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 240 seconds] 06:17 -!- unforgiven512 [~unforgive@freebsd-dev.unforgivendevelopment.com] has joined #openvpn 06:18 < Neighbour> bhuey: do you have a 'push "route 192.168.10.0 255.255.255.0"'-statement in your server config (or ccd)? 06:19 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 245 seconds] 06:21 < Neighbour> hm, 245secs...nope, he didn't get that :) 06:22 -!- somis [~somis@167.160.44.210] has joined #openvpn 06:23 < davel> hello, 06:23 < davel> I am using openvpn in p2p mode with the UDP protocol 06:24 < davel> Is there a way I can make it bind the socket to the remote host, rather then listening to packets from all hosts? 06:24 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:27 < Neighbour> no, but you can probably instruct your firewall to only allow packets from a specific host 06:30 <@dazo> Anyone know how to transfer the spamassasin bayes database from one zimbra server to another one? I've migrated server, but the new server needs to relearn spam again :/ 06:31 <@plaisthos> dazo: wrong channeL? :) 06:31 <@dazo> duh! 06:31 <@dazo> yeah 06:31 <@plaisthos> wait have a macro for that! 06:31 <@plaisthos> !notovpn 06:31 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 06:31 <@dazo> hehehe 06:32 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: Textual IRC Client] 06:33 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 06:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 06:50 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 06:57 < davel> Neighbour: okay, thank you. I wanted to do the binding in order to have multiple openvpn instances linking to different hosts 06:57 < davel> I can work around this by giving them all the links their own port number 06:58 < Neighbour> you can still do that (linking multiple ovpn clients to different hosts on your subnet) using firewall rules 07:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 07:03 <@plaisthos> davel: any reason that you use p2p mode instead of p2mp 07:07 < davel> Neighbour: the specific problem is that when the second openvpn instance starts, it cannot connect udp socket to 0.0.0.0:1194 because the first is already sat on it 07:08 < davel> plaisthos: I'm attempt to create a mesh linking multiple servers, so the other machines at the far end of the link are also connecting to multiple servers. I don't think you can do this in client/server mode? 07:09 <@plaisthos> do both sides of your p2p link have remote in it? 07:10 <@plaisthos> otherwise you can also use nobind 07:10 <@plaisthos> binding to the remote address is simply not implemented 07:10 < davel> plaisthos: yes, they are both configured identically (aside from the addresses being reversed) --- Log closed Tue Jan 12 07:13:06 2016 --- Log opened Wed Jan 13 08:39:54 2016 08:39 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 08:39 -!- Irssi: #openvpn: Total of 244 nicks [9 ops, 0 halfops, 4 voices, 231 normal] 08:39 -!- mode/#openvpn [+o ecrist_] by ChanServ 08:39 -!- Irssi: Join to #openvpn was synced in 1 secs 08:43 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 08:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Client Quit] 09:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 09:02 < hiya> Yo 09:02 < hiya> Do people talk here? 09:02 <@ecrist_> yes 09:07 < hiya> ecrist_, question 1 Sir - Does tls-ecdhe-* as tls-cipher work with OpenVPN, I have seen way too much guides showing it as cipher? It never worked for me 09:08 <@ecrist_> It needs to be supported by the underlying library (openssl or polarssl) 09:08 < hiya> ecrist_, my openssl lib says it is supported 09:09 < hiya> but it won't work 09:09 < hiya> that is my point 09:09 <@ecrist_> !logs 09:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:09 < hiya> ecrist_, Server log? tls handshake failed 09:09 < hiya> ecrist_, Debian 8 09:10 < hiya> OpenSSL 1.0.1k 8 Jan 2015 09:10 <@ecrist_> hiya: I need to see the full logs, as mentioned above. Also, your server config file, please. 09:10 < hiya> Does it work? 09:11 < hiya> ecrist_, omg, :) too much data, wait I show you my server.conf ok? but I would redact server IP, is it fine for you? 09:12 <@ecrist_> !topsecret 09:12 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 09:12 < hiya> ecrist_, heh :) omg sorry for you an OP 09:12 < hiya> I did not know 09:12 <@ecrist_> nobody cares about your public IP 09:12 <@ecrist_> If I want to hack on some openvpn servers I'll just run some port scans 09:13 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:13 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 255 seconds] 09:13 < hiya> ecrist_, https://defuse.ca/b/KITBE5dF 09:13 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:13 < hiya> my server.conf 09:14 < hiya> I use DHE because ECDHE do not work 09:14 < hiya> wait I would show you logs 09:16 <@ecrist_> you can just run openvpn --show-tls to get the supported list 09:16 < hiya> ecrist_, I know sir, it says supported!!! 09:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:16 < hiya> there is many openvpn tickets regarding the same 09:16 <@ecrist_> both sides need to support it 09:16 < hiya> TLS-ECDHE do not work! 09:16 < hiya> ecrist_, running same OS on both side 09:16 < hiya> Debian Jessie same 09:20 -!- banco [~ban@212.164.222.212] has joined #openvpn 09:21 <@ecrist_> I don't care of the OS, I care of the output of --show-tls 09:21 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has left #openvpn [] 09:22 -!- DMA [~dma@190.146.128.106] has joined #openvpn 09:23 < hiya> ecrist_, ok getting you both server.log and other thing 09:32 < hiya> ecrist_, https://lut.im/xg4V9TzBsq/wOv3yjFgZ9S4B1Yz.png 09:32 <@vpnHelper> Title: Lutim (at lut.im) 09:32 < hiya> I just get this error 09:33 < hiya> ecrist_, All it says is tls error 09:33 < hiya> when a user try to connect when its ECDHE 09:34 <@ecrist_> hiya: did you post the logs? 09:36 < hiya> yep 09:36 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 09:39 < hiya> ecrist_, https://defuse.ca/b/typ1RVqU 09:39 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:39 < hiya> when user connect with VPN using ECDHE 09:39 < hiya> on both server/client 09:39 < hiya> this is what happens 09:39 < hiya> with TLS-DHE works :) 09:41 < hiya> https://defuse.ca/b/ePlMJDdf 09:41 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:41 < hiya> ecrist_, ^ openvpn --show-tls 09:43 -!- weox [uid112413@gateway/web/irccloud.com/x-pgpluiabtybttrio] has joined #openvpn 09:44 < hiya> https://community.openvpn.net/openvpn/ticket/304 09:44 < hiya> ecrist_, ^ 09:44 <@vpnHelper> Title: #304 (List or indicator of supported tls/ciphers/hashes) – OpenVPN Community (at community.openvpn.net) 09:44 < hiya> some had the same issue 09:46 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:48 <@plaisthos> hiya: you need 2.4-master for ecdsa 09:48 <@plaisthos> err 09:48 <@plaisthos> echde 09:48 <@plaisthos> iirc 09:49 <@plaisthos> commit 609e8131427686adca9b4ed2db44db4aaa920a01 09:49 <@ecrist_> plaisthos: can you commint on ticket 304 to that effect, please? 09:51 <@plaisthos> ecrist_: hm 304 already has a good answer from syzzer 09:51 < hiya> plaisthos, What is 2.4 master? 09:51 <@plaisthos> hiya: compile your own version from git 09:51 <@plaisthos> !git 09:51 < hiya> OMg 09:51 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn or (#2) For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin or (#3) Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/ or (#4) See !git-doc how to use git or (#5) git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png 09:51 < hiya> 2.4 OpenVPN? 09:51 <@plaisthos> there is no 2.4 yet 09:51 <@plaisthos> the feature will be in 2.4 09:52 <@plaisthos> Tunnelblick for mac and OpenVPN for Android also allow you to use -master 09:52 < hiya> plaisthos, Ok sir thanks for update 09:52 < hiya> when should we use "remote-cert-tls" instead of ns-cert-type? 09:52 < hiya> What is the difference? 09:53 <@plaisthos> https://github.com/OpenVPN/openvpn/commit/609e8131427686adca9b4ed2db44db4aaa920a01 09:53 <@vpnHelper> Title: Add support for elliptic curve diffie-hellmann key exchange (ECDH) · OpenVPN/openvpn@609e813 · GitHub (at github.com) 09:53 <@plaisthos> hiya: I would have to the manpage myself 09:53 <@plaisthos> iirc remote-cert-tls is a macro 09:53 < hiya> plaisthos, Many openvpn guide seem to have it TLS-ECDHE- are they faking or have no idea? or have never tried it? 09:54 < hiya> https://blog.g3rt.nl/openvpn-security-tips.html 09:54 < hiya> see this ^ 09:54 <@vpnHelper> Title: 16 tips on OpenVPN security · blog.g3rt.nl (at blog.g3rt.nl) 09:55 <@plaisthos> hiya: yeah, it will fallback to a non ECDHE cipher with that list 09:55 < hiya> I see 09:55 <@plaisthos> also note the OpenVPN-NL 09:55 < hiya> ecrist_, https://defuse.ca/b/KITBE5dF 09:55 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:55 < hiya> plaisthos, ^ 09:55 < hiya> my server.conf 09:55 < hiya> Is it ok? 09:55 < hiya> :) 09:57 <@plaisthos> *shrug* 09:57 <@plaisthos> I would recommend against using only one cipher 09:57 <@plaisthos> note the default in 2.4 will become tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA" 09:58 < hiya> I only support 1 tls-cipher 09:58 < hiya> Sir what to use? 09:58 < hiya> "remote-cert-tls" or ns-cert-type? 09:59 < hiya> OpenVPN do not have good book, kindly recommend 1 09:59 <@syzzer> !book 09:59 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 10:00 < hiya> syzzer, Sir, I read both :) same content almost, no good information on manual explanation 10:00 < hiya> I need a commentary on manual 10:01 < hiya> ;] 10:02 <@syzzer> what do you mean by manual explanation/ 10:02 < hiya> I want a 2-page chapter on OpenVPN manual's each option 10:02 < hiya> so understand when to use what 10:03 < hiya> "remote-cert-tls" or ns-cert-type? < for example this is killing me 10:03 <@syzzer> ns-cert-type is the old one 10:03 < hiya> ok 10:03 <@syzzer> remote-cert-tls is the modern version 10:04 < hiya> ya I use modern :) I am smart :) 10:04 <@syzzer> both work equally well, btw - just that remote-cert-tls is the modern way to do it 10:04 <@ecrist_> hiya: jjk and I just published the last one in that list 10:04 < hiya> syzzer, Can we restrict bandwidth on individual user? Or limit-simultaneous connection by a user? 10:05 <@syzzer> not within openvpn (as far as I know) 10:05 < hiya> ecrist_, Mastering OpenVPN? 10:05 <@ecrist_> yes 10:05 < hiya> syzzer, I think limit-connection is within reach of OVPN 10:05 < hiya> max-retry or something? 10:06 <@ecrist_> some firewalls can attempt to shape traffic for openvpn clients, but there's really nothing stopping anyone from flooding a connection 10:06 < hiya> ecrist_, you did not focus on Manual and hardening and other stuff, is it basics? 10:06 < hiya> I want to be an expert on OVPN 10:06 < hiya> I love it, ever since I hosted it for people 10:07 < hiya> ecrist_, I am sorry if I am rude, but I felt like there is nothing new in the book at all that I got to know 10:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 10:09 < hiya> hello? Can read? 10:09 <@ecrist_> chapter 1: OpenVPN Internals is about the only place we cover the encryption ciphers 10:09 < hiya> Ah I am here :) 10:10 < hiya> ecrist_, I read it in hurry to look for that chapter which would startle me, but it just never happened, sorry :) 10:10 < hiya> Although I felt like it is AWESOME basics book 10:11 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 276 seconds] 10:12 < hiya> ecrist_, Oh sorry Chapter 4 = Holy Shit :] Love it, but never understood what you want to explain with CCD and how did you end up with that IPv6 address from server 10.200.0.0 255.255.255.0 10:13 < hiya> ecrist_, Also you never changed firewall settings for IPv6 forwarding 10:14 < hiya> server 10.200.0.0 255.255.255.0 10:14 < hiya> server-ipv6 2001:DB8:100::/64 10:15 < hiya> how did you calculate it? 10:15 < hiya> What would the IP be for 10.50.0.0? 10:15 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:16 <@ecrist_> hiya: you don't "convert" IPv4 to IPv6 normally 10:17 < hiya> then how did you end up with that IP? 10:17 < hiya> you never explained it? Also you did not change any firewall setting for IPv6 would it work without forwarding IPv6? 10:17 <@ecrist_> the IPv6 address there follows RFC3849 for the reserved IPv6 range for documentation and examples 10:18 < hiya> ok 10:18 < hiya> What should I do? 10:19 <@ecrist_> for what? 10:19 < hiya> for my ipv6 address 10:20 < hiya> you have my configuration 10:20 <@ecrist_> that really boils down to a networking 101 question 10:20 <@ecrist_> You need to obtain an IPv6 range (tunnelbroker.net is a good choice) 10:20 < hiya> I asked there, they said ask Openvpn people 10:20 <@ecrist_> or from your upstream provider 10:20 <@ecrist_> now, they did not 10:21 < hiya> What if my server has IPv6? 10:21 <@ecrist_> You need a routable subnet, usually a /64 10:22 < hiya> I see inet6 addr: 10:22 <@ecrist_> to get that, you'll obtain a routed /64 for the upstream to point the VPN /64 to 10:23 < hiya> mine is /64 10:25 <@ecrist_> so you'll need to either NAT that traffic, or obtain another /64 range that is routed to your vpn server that you can hand out to clients. 10:29 < hiya> I justt want IPv6 support 10:29 < hiya> So that their ISP's IPv6 IP is not leaked when they use VPN 10:30 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 10:30 <@ecrist_> hiya: that's what I'm telling you 10:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 10:34 < hiya> ecrist_, I don't get it :( 10:37 <@ecrist_> that topic falls outside the purview of openvpn in general 10:37 <@ecrist_> !101 10:37 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 10:39 < hiya> If i use server 10.8.0.0 255.255.255.0 in server.conf What should its IPv6 equivalent be? 10:47 -!- somis [~somis@167.160.44.220] has joined #openvpn 10:51 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 10:52 -!- stickperson [~stickpers@c-67-160-216-50.hsd1.ca.comcast.net] has joined #openvpn 10:52 -!- stickperson [~stickpers@c-67-160-216-50.hsd1.ca.comcast.net] has quit [Client Quit] 10:54 <@ecrist_> hiya: there is no equivalent 10:54 <@ecrist_> for IP address, for the config parameter, check out the man page. 11:02 < ^CJ^> hey there 11:03 < ^CJ^> i might be dumb but i'm trying to run 2 instances of openvpn on the same machine, one for udp and one for tcp 11:04 < ^CJ^> now i'm using these 2 respective lines in my configs: 11:04 < ^CJ^> server 10.66.66.0 255.255.248.0 11:04 < ^CJ^> and 11:05 < ^CJ^> server 10.77.77.0 255.255.248.0 11:05 < ^CJ^> however this gives me "Options error: --server directive network/netmask combination is invalid" 11:05 < ^CJ^> while it works when using a 255.255.255.0 netmask in the 10.77.77.0 config 11:06 < ^CJ^> i don't see how that combination is not valid... 11:06 < hiya> ecrist_, I am getting block of IPv6 routed to my KVM then I would follow your guide and come back, but I want to know whether I would get IPv6 even if my ISP do not support it from VPN? 11:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:11 <@ecrist_> hiya: your ISP doesn't need to support VPN 11:11 <@ecrist_> they just need to route a /64 subnet to your VM, that you can pass to your clients 11:12 < hiya> ecrist_, no no, I mean would I get IPv6 addr as a client even if my local ISP NOT VPS ISP my local ISP do not support IPv6 yet? 11:12 <@ecrist_> no 11:12 < hiya> wtf? 11:12 < hiya> Why not? 11:13 <@ecrist_> then you would need to talk to tunnelbroker.net and get a GIF tunnel configured, and a subnet assigned and routed. 11:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:14 < hiya> why won't I get IPv6 addrss from VPN just because my ISP do not support Ipv6 yet? My OS does!! 11:15 <@plaisthos> !? 11:15 <@plaisthos> it owrks here 11:15 < hiya> plaisthos, my q? 11:15 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 11:17 < hiya> plaisthos, Did you reply to me questoin? 11:17 < Bose> hiya, I think it has something to do with tunneling IPv4 packets over IPv6 networks 11:17 <@plaisthos> hiya: yes 11:17 <@plaisthos> Bose: that is different problem and that is fixed -master 11:18 < hiya> plaisthos, I always knew it could happen :) 11:18 < Bose> sorry. IPv6 packets over IPv4 network 11:19 < hiya> Bose, Baby we connect to VPN - which is different network supporting IPv6 11:19 < hiya> :) 11:20 <@ecrist_> hiya: you will, but they won't be routable to the internet 11:21 <@ecrist_> without your ISP at the server side supporting IPv6, or without having a tunnel to a broker, your VPN clients will not be able to use the internet via IPv6 11:23 < hiya> ecrist_, server side ISP has to support IPv6 right! bt what if client side ISP do not have IPv6 11:23 < hiya> is my question 11:23 < hiya> :) 11:26 < ^CJ^> ok i got my problem fixed, seems it only affected the openvpn version that came with debian, after upgrading to 2.3.10 everything is fine again 11:28 < hiya> ^CJ^, Really? 11:29 < hiya> you running two server subset and different port in one single server.conf? 11:29 < hiya> Share it? 11:29 < hiya> Kindly server.conf? 11:30 < hiya> ecrist_, Don't we have to enable packet forwarding for IPv6? 11:31 < hiya> in sysctl.conf? 11:37 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 11:40 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 < ^CJ^> hiya, no, actually it didn't fix it :P 11:44 < ^CJ^> i thought so cause it works on another server where i'm running 2.3.10 but it doesn't work on the first server even after upgrading to 2.3.10 11:49 < ^CJ^> hiya, nothing special in my configs: http://pastebin.com/8nvT54hH and http://pastebin.com/yzecdgvA 11:49 < ^CJ^> this is the combination that works, when changing to 255.255.248.0 in the 2nd config, restarting fails 11:52 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 11:55 < walnuts> Hi, i'm trying to setup my first openvpn server and i'm having issues with easy-rsa. most guides point me to the /usr/local/share/easy-rsa directory on freebsd and while I have a vars file in there, I lack clean-all and build-ca and other scripts. I installed openvpn 2.3.10 with easy-rsa, is there something I missed? 11:56 < ^CJ^> walnuts: Note that easy-rsa is no longer bundled with OpenVPN source code archives. To get it, visit the easy-rsa page on GitHub, or download it from our Linux software repositories. 11:56 < ^CJ^> https://github.com/OpenVPN/easy-rsa 11:56 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com) 11:57 < ^CJ^> dunno why they did that actually 11:57 < ^CJ^> it was quite handy to have it preinstalled 11:57 < walnuts> weird pkg info easy-rsa tells me i have 3.0.1 11:58 < ^CJ^> if you installed it from some repository it probably ended up in another folder 11:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 11:59 < ^CJ^> not an expert tho, i primarily came herer for asking, not answering ;) 11:59 < walnuts> well, freebsd tells me it has a easy-rsa 3.0.1 package and i do have some files in /usr/local/share/easy-rsa, namely vars; vars.example and x509-types but yes i lack the build scripts 12:00 < walnuts> so if i get it from github i should end up with all the build-ca build-key scripts? 12:00 < hiya> walnuts, yep 12:00 < walnuts> do I just run the build-dist.sh in /build/? 12:00 < hiya> ^CJ^, ok :) I am hosting an OpenVPN server too :) 12:04 < walnuts> so I just checked and https://github.com/OpenVPN/easy-rsa/tree/release/2.x/easy-rsa/2.0 seems to have the scripts I need according to all the tutorials I've found online. the master release at 3.x doesn't have any of this.. can I simply install 2.0 instead of the 3.x release or would that cause problems with openvpn 2.3.10? 12:04 <@vpnHelper> Title: easy-rsa/easy-rsa/2.0 at release/2.x · OpenVPN/easy-rsa · GitHub (at github.com) 12:06 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:08 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:10 -!- weox [uid112413@gateway/web/irccloud.com/x-pgpluiabtybttrio] has quit [K-Lined] 12:10 -!- Cihan [uid138508@gateway/web/irccloud.com/x-jdnllwodsrydlsro] has quit [K-Lined] 12:10 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-dwkdwbenqtirfgah] has quit [K-Lined] 12:10 -!- kireevco [sid87376@gateway/web/irccloud.com/x-ldxxvlslrbsreubr] has quit [K-Lined] 12:10 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [K-Lined] 12:10 -!- dan_j [sid21651@gateway/web/irccloud.com/x-xnhauicapogbwmfy] has quit [K-Lined] 12:10 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has quit [K-Lined] 12:10 -!- SoreGums [sid22927@gateway/web/irccloud.com/x-aimoetnfilwjtmcr] has quit [K-Lined] 12:10 -!- Protagonistics [sid50355@gateway/web/irccloud.com/x-cubdlcesjtozwgas] has quit [K-Lined] 12:12 -!- kireevco [sid87376@gateway/web/irccloud.com/x-mhdjfeyawdagtdgg] has joined #openvpn 12:13 -!- chachasmooth [~chachasmo@p5B125D5A.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 12:14 -!- chachasmooth [~chachasmo@p5B125D5A.dip0.t-ipconnect.de] has joined #openvpn 12:16 -!- weox [uid112413@gateway/web/irccloud.com/x-koggxghakiejfzjm] has joined #openvpn 12:19 -!- Protagonistics [sid50355@gateway/web/irccloud.com/x-kvvcpuuzvaifphmm] has joined #openvpn 12:19 -!- dan_j [sid21651@gateway/web/irccloud.com/x-owbpidantmycmoin] has joined #openvpn 12:19 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-kuohgzhdzewnkhdh] has joined #openvpn 12:20 -!- SoreGums [sid22927@gateway/web/irccloud.com/x-slncnzcofyaxcwao] has joined #openvpn 12:20 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn 12:22 -!- u0m3 [~u0m3@188.27.122.121] has quit [Ping timeout: 265 seconds] 12:31 -!- ^CJ^ is now known as ^cj^ 12:32 < hiya> walnuts, Did you get it to work? 12:33 < walnuts> yeah i mean i just installed easy-rsa 2.2.2 and I got the scripts 12:33 < walnuts> couldn't get it to work with 3.0.1 12:35 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has joined #openvpn 12:36 < hiya> walnuts, edit vars and use good length 3072 at least 12:37 -!- Cihan [uid138508@gateway/web/irccloud.com/x-rljauyngqbmvhplg] has joined #openvpn 12:40 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 12:52 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 12:57 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 13:35 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 13:43 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 13:46 -!- bluecamel [424446e2@gateway/web/cgi-irc/kiwiirc.com/ip.66.68.70.226] has joined #openvpn 13:46 < bluecamel> Hey all. I'm struggling getting crl-verify to work correctly. I can revoke certificates and see them by running list-crl. However, when I have crl-verify in my configuration file, I can't connect even from a valid certificate. 13:48 < bluecamel> Any suggestion of where to look? I don't see anything in openvpn.log while trying to conenct 13:48 < |PSU|> hi guys, trying to get OpenVPN working with Shorewall...following the road warrior setup. Very basic setup, one client (iPad) and RaspPi server using Shorewall as the firewall. I am able to successfully authenticate and access local web pages on my local network but am unable to get out to the Internet. Internet web pages time out and I don't see any errors in my firewall (Shorewall) logs... thoughts? 13:50 <@ecrist_> bluecamel: odds are your path is incorrect 13:51 < bluecamel> hrmm, nope, the line is: crl-verify /etc/openvpn/keys/crl.pem 13:51 < bluecamel> and that file exists 13:52 <@ecrist_> openssl crl -noout -text -in /etc/openvpn/keys/crl.pem 13:53 <@ecrist_> is crl.pem readable by the user running openvpn (i.e. if you use nobody:nobody, does nobody have read access to that path?) 13:54 < bluecamel> when I run that command, I get the same output as easy-rsa list-crl, which shows the revoked certificates. I just tried making crl.pem readable by everyone and same behavior. 13:55 -!- jordinja_ [~jordinja_@2.91.192.119] has joined #openvpn 14:02 < bluecamel> oh, so I guess it is a permission issue because the keys directory also needs to be readable...boo 14:02 <@ecrist_> yes 14:03 <@ecrist_> how is the openvpn binary supposed to read the file if it doesn't have permission? 14:03 -!- ez-e [~ez-e@static-108-51-81-11.washdc.fios.verizon.net] has joined #openvpn 14:04 < hiya> ecrist_, Can you teach me something cool about logs etc? 14:04 <@ecrist_> like? 14:05 < hiya> like anything that you think a newbie might not know :) 14:05 < bluecamel> @ecrist_ no, I understand, I just assumed that since openvpn can read the other files in the keys directory, it was already configured 14:05 <@ecrist_> bluecamel: there's a privilege de-escalation that takes place 14:06 <@ecrist_> so, as root it reads those files and stores them in memory 14:06 <@ecrist_> the CRL file is read each time a connection is made, so the unprivileged user needs to also have access. 14:08 -!- ez-e [~ez-e@static-108-51-81-11.washdc.fios.verizon.net] has quit [] 14:08 -!- DMA [~dma@190.146.128.106] has joined #openvpn 14:08 < bluecamel> hrmm, so should the directory be owned by root then, or is it safe to give all permission to read the keys directory? 14:13 <+esde> that is unsafe 14:14 <+esde> >give all permission to read the keys directory 14:15 <@krzie> openvpn would even issue a warning every time you start it with those permissions 14:16 < bluecamel> so, what would be the recommended setup, since nobody needs to read a file in that directory? 14:16 <@krzie> root does 14:16 <@krzie> so let root 14:16 <@krzie> in general thats how you should deal with permissions 14:17 < hiya> Openvpn-nl supports ECDHE right now 14:17 < hiya> sad thing 14:17 <@krzie> whoever needs access gets it, and nobody else does. 14:17 < hiya> we don't have it yet 14:17 <@krzie> hiya: isnt openvpn-nl opensource...? 14:17 <@krzie> ...so then use it if you want it :-p 14:17 < bluecamel> @krzie I'm not sure what you're suggesting. Are you saying instead of "user nobody" in the config file, to have "user root"? 14:21 <@krzie> no 14:21 <@krzie> [12:04] <@ecrist_> bluecamel: there's a privilege de-escalation that takes place [12:04] <@ecrist_> so, as root it reads those files and stores them in memory 14:21 < hiya> krzie, :) its hosted by dutch government :) you know? 14:22 <@krzie> by a company fox it that worked directly with openvpn technologies 14:23 < bluecamel> @krzie I'm very sorry, but I don't know enough about openvpn configuration to understand what to do with that. 14:25 < bluecamel> If nobody shouldn't have read permission on the /etc/openvpn/keys directory, but needs to read /etc/openvpn/keys/crl.pem, I'm failing to see how I should configure this to work. 14:27 <@krzie> giving permission to read and execute the directory is fine 14:27 <@krzie> but dont give permission to read the KEYS 14:28 <@krzie> the dir isnt a biggie as long as they cant write 14:28 < bluecamel> okay, thanks! it's strange that the default permission of the keys is readable by all 14:30 < hiya> is re-negotiation of keys at 1200 or 20mins too less or am I being extra paranoid or it is just fine? 14:37 <@krzie> do you have reason to believe the default of 1 hour was bad? 14:38 <@krzie> or you just turning knobs and dials for fun? 14:38 < hiya> krzie, I think it should be more often then 1h 14:38 <@krzie> cool, why? 14:39 <@krzie> also for the record, nothing wrong with turniong knobs and dials for fun if your goal is to learn through it 14:40 < hiya> an essential fallback to TLS-based 'perfect forward secrecy' via Diffie Hellman keygen 14:40 <@krzie> not sure what you mean by "an essential fallback to" 14:40 < hiya> 2nd best thing? 14:41 <@krzie> but reneg *is* TLS-based 'perfect forward secrecy' via Diffie Hellman keygen 14:41 <@krzie> thats whats happening at reneg 14:42 < hiya> ok 14:43 < hiya> I originally wanted to set 7200 14:43 < hiya> krzie, What is your view on 1200? 14:43 <@krzie> you can set it to whatever you want, im just trying to ask why you feel the need to change it from 1 hour 14:43 <@krzie> you feel it can be cracked in an hour? if so maybe you want stronger dh params 14:44 <@krzie> just so you know, openvpn will not pass traffic over the tunnel during reneg (for the time reneg takes place, on a normal cpu this is very small) 14:45 <@krzie> on my voip phone that can be up to 15 seconds of dead noise 14:45 < hiya> krzie, then 7200? 14:46 <@krzie> if you think im going to give you a numeric answer you are wrong 14:46 < hiya> krzie, I use 4k RSA, dh 14:46 < hiya> and static key crap too 14:46 < hiya> :) 14:46 <@krzie> i just want you to use logic and figure it out what you want for yourself 14:46 < hiya> tls 1.2 14:46 <@krzie> 4k rsa has little to do with the dh params 14:46 <@krzie> 4k dh too? 14:46 < hiya> yep 14:47 < hiya> 4k everything 14:47 <@krzie> and you feel it can be cracked in 1 hour? 14:47 < hiya> other than Static key 14:47 < hiya> Just more paranoid 14:47 <@krzie> when you say static key you mean hmac sig 14:47 <@krzie> tls-auth 14:47 < hiya> no 14:47 < hiya> tls-auth 14:47 <@krzie> !hmac 14:47 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 14:47 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:48 <@krzie> :-p 14:48 < hiya> for --auth I use sha512 14:48 <@krzie> tls-auth is hmac 14:48 < hiya> ok 14:48 < hiya> why is it only 2k? 14:48 < hiya> not 4k? 14:48 <@krzie> cause its not for encryption 14:48 < hiya> What does it do? 14:49 <@krzie> its actually twice as big as it needs to be 14:49 < hiya> it is key to door? 14:49 < hiya> without key you are not allowed with your certs? 14:49 <@krzie> its the key to getting the port to even listen to your packets 14:49 <@krzie> !hmac 14:49 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 14:49 <@krzie> read that 14:49 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:49 <@krzie> lol 14:50 < hiya> Ok 14:50 < hiya> I get it 14:50 < hiya> I use all of the protection possible 14:50 < hiya> krzie, by defauly clients cannot talk to each other, right? 14:50 < hiya> What do we do to highly isolate them and segment their traffic? 14:50 <@krzie> depends on the firewall config 14:50 <@krzie> !c2c 14:51 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 14:51 <@vpnHelper> other clients 14:52 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection] 14:53 < hiya> krzie, Do you recommend any hardening guide? 14:53 <@krzie> !factoids 14:53 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:53 <@krzie> ill check 14:54 < hiya> you will check? 14:54 <@krzie> !hardening 14:54 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening 14:54 < hiya> omg why do you do, ! ! ! ? 14:54 <@krzie> !bot 14:54 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 14:55 < hiya> oh? 14:55 < hiya> hello Mr krzie 14:55 <@krzie> ohai 14:56 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn 15:00 -!- |PSU| [psu@c-174-54-248-23.hsd1.pa.comcast.net] has left #openvpn [] 15:02 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 15:02 -!- r4sp [~r4sp@107.170.28.221] has joined #openvpn 15:04 < r4sp> Hello.. I have a doubt about dns. I have configured the server and copied every necesary file to the client. The client is able to connect but I dont have internet. The server has the forwarding enabled so I think that the problem is because i have to tell the client "how to go outside" 15:05 < r4sp> in the dhcp push option which ip should i pass? I ran "route -nee " in the server so i can see its gatewaydefault gateway but I think im doing something wrong 15:06 < r4sp> s/gatewaydefault/default 15:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 15:12 < DArqueBishop> r4sp: 15:12 < DArqueBishop> !redirect 15:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:12 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 15:17 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Ping timeout: 260 seconds] 15:18 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 15:20 < r4sp> DArqueBishop: thank you, Ill follow the steps 15:21 -!- n-st [~n-st@unaffiliated/n-st] has quit [Ping timeout: 260 seconds] 15:22 <@krzie> when you get stuck on the flowchart you can tell us where if you need help with it 15:22 -!- jordinja_ [~jordinja_@2.91.192.119] has quit [Quit: Leaving] 15:25 -!- DMA [~dma@190.146.128.106] has joined #openvpn 15:28 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 15:28 < kojin> hi all 15:30 < kojin> finally I've configured my openvpn server but is a bit slow... It runs on 1194 udp, and my client connect to 53 udp. the firewall redirect the 53 to 1194. How can I increase the speed of the connection? 15:32 <@krzie> !speed 15:32 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 15:32 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 15:32 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 15:33 <@krzie> why bother with the redirect, already have something listening on port 53 locally? 15:35 < kojin> krzie do you mean in the server? 15:35 <@krzie> right 15:35 <@krzie> on the machine listening on port 53 ;] 15:36 < kojin> nothing... I just wanted to try 15:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 15:52 <@krzie> cool =] 15:53 <@krzie> nothing wrong with doing stuff for learning purposes 15:53 <@krzie> so ya, have a look through the info the bot gave, theres a lot of info there 15:54 -!- kojin [~kojin@unaffiliated/kojin] has quit [Read error: Connection reset by peer] 15:55 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 15:55 < kojin> ok now try 15:57 < kojin> krzie the iperf test must be performed from openvpn server to a public ip right? 15:58 <@krzie> should test via public ips and vpn ips 15:59 < kojin> ok thank you 16:00 <@krzie> np 16:01 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 16:07 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:11 -!- kojin [~kojin@unaffiliated/kojin] has quit [Ping timeout: 255 seconds] 16:19 < bluecamel> for creating a new server, without any revoked certificates, is it possible to create a default/blank crl.pem? I guess, otherwise, crl-verify needs to not be enabled until a certificate is revoked? 16:21 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 16:23 <@krzie> ...did you try? 16:23 <@krzie> i dont know, but i would think its as difficult to ask us as it would be to try... 16:25 < bluecamel> I created a blank crl.pem, but it doesn't like that. I would gladly try to create a blank crl.pem if I knew how, thus the question. 16:25 < bluecamel> I can't find anywhere in the docs that talk about creating a default one. 16:29 <@plaisthos> see openssl crl 16:29 <@plaisthos> or google for openssl crl 16:31 -!- afics [~afics@unaffiliated/-x-/x-5730914] has quit [Quit: Quit.] 16:32 < bluecamel> ah, thanks! @plaisthos 16:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:40 -!- afics [~afics@unaffiliated/-x-/x-5730914] has joined #openvpn 16:44 -!- afics [~afics@unaffiliated/-x-/x-5730914] has quit [Ping timeout: 256 seconds] 16:46 -!- afics [~afics@unaffiliated/-x-/x-5730914] has joined #openvpn 16:55 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 17:00 <@krzie> a blank file definitely wouldnt work 17:01 <@krzie> but generating a blank crl through your CA software or openssl might 17:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 17:10 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 17:10 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 17:20 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 17:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 17:45 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 17:47 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 17:48 -!- dazo is now known as dazo_afk 18:00 < mnathani_> I have a routing issue 18:01 < mnathani_> related to openvpn 18:01 < mnathani_> OpenVPN Server <> Openvpn Client <> Cisco Router 18:02 < mnathani_> OpenVPN Client can ping 8.8.8 and the OpenVPN Server NATs the IP and sends it out 18:03 < mnathani_> the cisco router has 2 interfaces. The interface for its client facing network works fine, but the interface connecting it to the Openvpn Client is not working, ie packets are either not getting routed or perhaps not getting Natted correctly 18:03 < mnathani_> if that makes any sense 18:03 < mnathani_> I can paste configs if it would help 18:08 -!- Sokel [~nazu@temple.angelsofclockwork.net] has left #openvpn [] 18:09 <@krzie> !clientlan 18:09 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 18:09 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:09 <@krzie> treat the cisco router as any other member of the clientlan and try the flowchart =] 18:09 < mnathani_> clients of the cisco router work just fine 18:10 < mnathani_> its the router itself when using its 10.10.64.4 IP address does not 18:10 < mnathani_> on its 192.168.64.4 interface it does 18:10 < mnathani_> checking out the flowchart now 18:11 < mnathani_> is gliffy still the tool to use for diagraming my network" 18:11 < mnathani_> ? 18:19 < mnathani_> http://www.gliffy.com/go/publish/9785351 18:19 <@vpnHelper> Title: Gliffy Diagram | OpenVPN Jan 2016 (at www.gliffy.com) 18:22 < mnathani_> Could my issue be due to eth0 on OpenVPN client and Fa0/0 are on the same subnet 18:22 < mnathani_> a /16 ? 18:27 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer] 18:27 -!- shio [~shio@129.121.101.84.rev.sfr.net] has joined #openvpn 18:33 -!- bluecamel [424446e2@gateway/web/cgi-irc/kiwiirc.com/ip.66.68.70.226] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 18:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 18:39 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:44 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 18:47 <@krzie> why would you be using a /16 instead of 2 /24's in that setup? 18:48 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn 18:48 < mnathani_> my home network is a /16 18:48 < mnathani_> gateway = 10.10.10.10/16 18:49 < mnathani_> usable range 10.10.0.0 - 10.10.255.255 18:51 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Client Quit] 18:51 <@krzie> why? you have more than 254 machines in your broadcast domain? 18:52 <@krzie> and yes, you need to be using different subnets for your lan stuff and openvpn stuff 18:52 <@krzie> logic would say you dont need a /16 but its your network you do whatever makes you happy ;] 18:52 < mnathani_> I cant explain how the Openvpn Client gets natted correctly 18:53 < mnathani_> and the routers clients get natted also 18:53 < mnathani_> but the router itself does not 18:54 < mnathani_> I think it has to do with the routing table on my Openvpn client 18:54 < mnathani_> care to have a look? 18:54 < mnathani_> I would really appreciate it 18:54 <@krzie> not really, busy at work 18:54 <@krzie> but like i said 18:54 <@krzie> <@krzie> and yes, you need to be using different subnets for your lan stuff and openvpn stuff 18:56 < mnathani_> thanks 19:01 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:01 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 19:02 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:02 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:03 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:04 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:05 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:05 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 19:06 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:06 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:10 <@krzie> yw 19:26 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:32 -!- mnathani_ [~mnathani_@192.0.149.228] has quit [Ping timeout: 272 seconds] 19:33 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has joined #openvpn 19:33 < mnathani_> krzie: I set it up again using distinct subnets and it works like a charm <3 Openvpn 19:33 < mnathani_> thanks again 19:36 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 19:39 -!- toli [~toli@ip-83-134-71-227.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 19:41 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 19:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:44 < ljvb> wtf... no changes made.. but all of a sudden my routes are not being pushed, new laptop, windows 10 19:44 < ljvb> well no changes to my ovpn configs 19:45 -!- toli [~toli@ip-62-235-242-236.dsl.scarlet.be] has joined #openvpn 19:46 -!- PityDaFool [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Ping timeout: 240 seconds] 19:48 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has joined #openvpn 19:48 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has quit [Max SendQ exceeded] 19:49 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has joined #openvpn 19:58 <@krzie> mnathani_: you're welcome =] 19:58 <@krzie> ljvb: look at logs 19:58 <@krzie> !logfile 19:58 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 19:59 -!- somis [~somis@167.160.44.220] has quit [Quit: Leaving] 20:02 < ljvb> I know how to look at a log file :) 20:03 < ljvb> which I am right now.. problem is not the remote client on my laptop, rather the client from my gateway all of a sudden dropping its routes after a few minutes 20:11 <@krzie> dhcp issues? 20:11 -!- pk12 [~pk12@104.243.24.236] has quit [Excess Flood] 20:12 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 20:23 < ljvb> no.. the connection is just dropping, this started about a week ago, my dns runs on a different network, I have 3 conencted via routed vpn, the gateway client is the one that keeps just dropping till I restart the service.. I did nothing, static configs and pf rules for over a year 20:26 < ljvb> I'll figure it out when I get back home.. screwing with firewall and vpn tunnel while being 600 miles away may piss off my wife if I break the internet :) (I removed the default route through the VPN, so atleast at home everything is fine 20:26 -!- tobinski___ [~tobinski@x2f5897f.dyn.telefonica.de] has quit [Read error: Connection reset by peer] 20:27 <@krzie> maybe duplicate certs being used? 20:27 < ljvb> nope, each client (there are only 5) have their own certs 20:27 <@krzie> not sure then 20:27 <@krzie> id expect the logs to have info 20:27 < ljvb> basically 3 networks, and 2 laptops 20:28 < ljvb> I checked the logs, I will have to increase verbosity, as right now the only error I got was 20:28 <@krzie> what verb you on now? 20:28 <@krzie> anything over 5 wont be necessary 20:28 < ljvb> a malloc error 20:28 <@krzie> a malloc error!? 20:28 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:28 < ljvb> 4 I think is what I set it or left it at 20:29 <@krzie> !logs 20:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:29 <@krzie> oh right probably best to wait til you're local to it 20:29 <@krzie> dont wanna remotely piss off wifey 20:31 < ljvb> WARNING: mlockall call failed: Cannot allocate memory (errno=12) 20:31 < ljvb> thats the only error outside the usual ones 20:32 < ljvb> the usual being multi src errors 20:48 <@krzie> well thats a problem 20:48 <@krzie> never seen it before, i think you have a system issue 20:50 < ljvb> It's een operating for years with no problems, its an older 5400 series Xeon, dual, 16GB ram, should be more than enough as it is just operating as a gateway 20:51 < ljvb> however, I do have a replacement, rangely c2558 20:54 -!- ShadniX [dagger@p579412F9.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 20:54 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Read error: Connection reset by peer] --- Log closed Wed Jan 13 20:54:14 2016 --- Log opened Fri Jan 15 13:33:06 2016 13:33 -!- ecrist [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 13:33 -!- Irssi: #openvpn: Total of 240 nicks [7 ops, 0 halfops, 4 voices, 229 normal] 13:33 -!- Irssi: Join to #openvpn was synced in 0 secs 13:33 -!- mode/#openvpn [+o ecrist] by ChanServ 13:33 <@ecrist> fucking freenode 13:42 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 14:27 < Eugene> That's probably illegal 14:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 14:28 < _FBi> heh, hey guys 14:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:35 <@ecrist> sup, _FBi 14:35 < _FBi> plugging away on my Gentoo box 14:36 < _FBi> turns out, I suck at computers 14:38 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has quit [Ping timeout: 272 seconds] 14:38 <@ecrist> you too, eh? 14:42 < _FBi> I should be getting my glock back too. coincidence? 14:43 < _FBi> !ping 14:43 <@vpnHelper> pong 15:01 -!- berken [sid128688@gateway/web/irccloud.com/x-ucyufbwodtxucint] has joined #openvpn 15:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:03 < berken> i'm attempting to enable yubikey authentication using pam (no radius) following the guide https://developers.yubico.com/yubico-pam/YubiKey_and_OpenVPN_via_PAM.html . authentication works and connection opens, but the user becomes unable to reach any network resources. could this be an issue with my /etc/pam.d/openvpn ? 15:03 <@vpnHelper> Title: YubiKey and OpenVPN via PAM (at developers.yubico.com) 15:08 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Remote host closed the connection] 15:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 15:17 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 15:49 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 15:53 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:54 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 15:58 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 15:58 -!- JackWinter [~jack@85.93.203.71] has joined #openvpn 16:02 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 16:05 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 16:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:17 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:18 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 246 seconds] 16:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:23 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 16:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:33 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 256 seconds] 16:41 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 16:51 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 255 seconds] 17:02 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 17:23 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 17:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:23 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 18:23 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 18:26 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Client Quit] 18:42 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has joined #openvpn 18:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:00 -!- wvlf [~wvlf@178.162.199.95] has joined #openvpn 19:01 < wvlf> im having a problem with debian/wicd/openvpn, in order to change networks and keep a working connection, i have to "systemctl stop openvpn" then change wifi network, then "systemctl start openvpn" 19:02 < wvlf> otherwise i have no network connect if i change wifi networks without stopping openvpn first 19:05 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Client Quit] 19:10 -!- wvlf [~wvlf@178.162.199.95] has quit [Ping timeout: 240 seconds] 19:12 -!- wvlf [~wvlf@c-76-116-203-1.hsd1.nj.comcast.net] has joined #openvpn 19:12 < wvlf> im having a problem with debian/wicd/openvpn, in order to change networks and keep a working connection, i have to "systemctl stop openvpn" then change wifi network, then "systemctl start openvpn" 19:12 < wvlf> otherwise i have no network connect if i change wifi networks without stopping openvpn first 19:20 < Eugene> We heard you the first time ;-) 19:20 < Eugene> Are you using "redirect-gateway"? 19:25 -!- natarej [natarej@101.188.147.129] has quit [Ping timeout: 260 seconds] 19:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 20:11 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Ping timeout: 240 seconds] 20:13 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 20:23 < wvlf> no im not sure im using redirect-gateway, it is not in my conf file, should it be? 20:23 < wvlf> im sorry for asking my original question twice, my connection reset and i didnt know if it went through the first time 20:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 20:32 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 240 seconds] 20:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:40 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 20:41 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 20:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:57 -!- benoliver999 [~ben@198.50.245.34] has quit [Ping timeout: 276 seconds] 21:06 -!- reconmaster [~user@96.47.229.59] has joined #openvpn 21:19 -!- chachasmooth [~chachasmo@p5B125022.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 21:21 -!- chachasmooth [~chachasmo@p4FC5E7B8.dip0.t-ipconnect.de] has joined #openvpn 21:24 -!- tobinski_ [~tobinski@x2f5a989.dyn.telefonica.de] has joined #openvpn 21:28 -!- tobinski [~tobinski@x2f5518b.dyn.telefonica.de] has quit [Ping timeout: 276 seconds] 21:34 -!- wvlf [~wvlf@c-76-116-203-1.hsd1.nj.comcast.net] has quit [Remote host closed the connection] 21:54 -!- Alias [~Alias@175.141.42.214] has joined #openvpn 21:55 -!- Alias [~Alias@175.141.42.214] has quit [Client Quit] 21:57 -!- Alias [~Alias@175.141.42.214] has joined #openvpn 22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 22:27 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has quit [Ping timeout: 276 seconds] 22:53 -!- arthar360 [~arthar360@123.252.217.205] has joined #openvpn 22:56 < arthar360> Hi...I have a completely working OpenVPn setup. What happened is recently my client gave his certificates, username and password to his friend. My client and his friend both simultaneously logged in. They both got same IP address though. Note that I have disabled all the options which allow simultaneous logins. What I want is if a user is connected, anothher user with same username and password should be rejected directly. Please guide me 23:37 < _FBi> are you sure? because it sounds like you didn't 23:44 < arthar360> _FBi, Yes I am sure.. 23:45 < _FBi> then why is it happening? 23:46 < arthar360> I have no clue. Both clients get same IP, pinging the server from both clients gives some packet loss but they work. 23:58 -!- ShadniX [dagger@p5DDFFDC6.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:59 -!- ShadniX [dagger@p5DDFF905.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Sat Jan 16 2016 00:19 -!- Alias [~Alias@175.141.42.214] has quit [Quit: Leaving] 00:26 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has joined #openvpn 00:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:45 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 00:58 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has joined #openvpn 00:59 < sara2010> hi 00:59 < Brozo> hello 00:59 < sara2010> any one there 01:00 < sara2010> Brozo: i m using openvpn and i m not enable to connect with domain controller 01:00 < Brozo> I can't answer any support issues 01:01 < sara2010> hmmmm 01:01 < sara2010> any one here to help me 01:30 < sara2010> hmmm 01:30 < sara2010> waiting for someone to help me 01:41 < sara2010> http://pastebin.centos.org/38231/ 01:41 < sara2010> http://pastebin.centos.org/38226/ 02:01 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:03 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 02:04 < sara2010> dionysus69: 02:04 < dionysus69> ? 02:05 < sara2010> dionysus69: can u help me 02:05 < dionysus69> why specifically me and how? 02:05 < sara2010> dionysus69: coz there is no one alive 02:05 < sara2010> i m using openvpn and i m not enable to connect with domain controller 02:06 < sara2010> http://pastebin.centos.org/38226/ 02:06 < sara2010> http://pastebin.centos.org/38231/ 02:07 < sara2010> here is domain controller and openvpn . ipconfig 02:12 < sara2010> dionysus69: u there ? 02:24 < debdog> ain't a domain controller an ancient technology? 02:28 < sara2010> debdog: its domain controller and openvpn linux server 02:29 < sara2010> debdog: client can't reach with domain controller 192.168.0.1 02:30 < sara2010> client can ping 10.1.3.2 02:32 < sara2010> domain controller have 2 Ethernet one have 192.168.0.1 and 2nd have 10.1.3.2 with getaway 10.1.3.1 02:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 02:32 < debdog> https://en.wikipedia.org/wiki/Domain_controller 02:32 <@vpnHelper> Title: Domain controller - Wikipedia, the free encyclopedia (at en.wikipedia.org) 02:33 < sara2010> if client reach with 192.168.0.1 then thay abble to join domain controller 02:35 < sara2010> debdog: you understand 02:36 < debdog> no, sorry. 02:36 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:37 < sara2010> debdog: what should i paste bin you ? 02:37 < sara2010> server.conf ? 02:39 < debdog> yes, plus client conf. but I am not a pro either and probably won't be able to help. but anyone who is willing to help has to understand the situation. 02:39 < debdog> btw, did you read the topic? 02:39 < sara2010> yah i did 02:40 < debdog> and comprehend it, too? ;) 02:40 < sara2010> http://pastebin.centos.org/38236/ 02:40 < debdog> try "!welcome" and "!goal" 02:40 < sara2010> yah 02:41 -!- jerin [uid67648@gateway/web/irccloud.com/x-idumdoewepegdsyd] has quit [Quit: Connection closed for inactivity] 02:41 < sara2010> !welcome 02:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:47 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-pcgekwnoiakidone] has joined #openvpn 02:55 -!- ustn [~ustn@p4FDB0619.dip0.t-ipconnect.de] has joined #openvpn 02:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 03:39 < sara2010> !route 03:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 03:39 <@vpnHelper> client 03:41 < sara2010> krzee: there 04:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 04:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:50 -!- chachasmooth [~chachasmo@p4FC5E7B8.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 04:54 -!- chachasmooth [~chachasmo@p4FF8F7AD.dip0.t-ipconnect.de] has joined #openvpn 05:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:00 -!- ustn [~ustn@p4FDB0619.dip0.t-ipconnect.de] has quit [Quit: ustn] 05:02 -!- ^cj^ is now known as ^CJ^ 05:20 -!- chachasmooth [~chachasmo@p4FF8F7AD.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 05:24 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has joined #openvpn 05:24 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:34 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 05:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 05:44 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 05:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:04 -!- AlmogBaku [~AlmogBaku@37.26.149.208] has joined #openvpn 06:13 -!- AlmogBaku [~AlmogBaku@37.26.149.208] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:19 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Quit: sigsts] 06:20 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:20 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:20 -!- arthar360 [~arthar360@123.252.217.205] has quit [Quit: Leaving] 06:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:23 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 06:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:26 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:30 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:35 < hiya> yo 06:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 06:58 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 07:03 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 256 seconds] 07:23 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:09 -!- mirco [~mirco@p5B280F53.dip0.t-ipconnect.de] has joined #openvpn 08:18 -!- mirco [~mirco@p5B280F53.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 08:21 < bithon> hiya: yo my nigga 08:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:38 < hiya> bithon, What's up bro? :) 08:40 < hiya> bithon, you quit heh :( 08:43 < bithon> what's that channel you invinted me to :@ 08:47 < hiya> bithon, it is about VPN talk :) 08:47 < hiya> I thought maybe you would like it 08:47 < hiya> but fine 08:51 < bithon> chillout i re-joined. 09:10 < hiya> bithon, its k, its your choice :) 09:10 < bithon> that's what they all say 09:11 < hiya> no no 09:11 < hiya> just quit if you don't like bro 09:11 < hiya> So are you a dev of OpenVPN? 09:18 < hiya> bithon, you there? 09:18 < bithon> No I am not a dev of openvpn. I'm a random lad, just like you are hiya. :) 09:20 < hiya> bithon, do you host OpenVPN server? 09:20 < hiya> I love to know new stuff about openVPN like configuration things 09:22 < bithon> not right now, no. 09:22 < bithon> i am going to, however, setup one soon on my home server. :p 09:23 < bithon> as for configurtion you should consider checking some of the wikis like arch's wiki (they have some amazing stuff there) https://wiki.archlinux.org/index.php/OpenVPN 09:23 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org) 09:35 < hiya> bithon, I refer to Archlinux for a lot of things too 09:36 < hiya> Also I am reading Mastering OpenVPN 09:36 < hiya> a good book 09:59 < hiya> bithon, So what is going on? :) 10:01 < bithon> well mostly studying right now and wasting my life on irc.. 10:06 -!- andy09usa [~andy09usa@unaffiliated/andy09usa] has joined #openvpn 10:07 -!- ^CJ^ is now known as ^cj^ 10:07 -!- ^cj^ is now known as ^CJ^ 10:09 < hiya> bithon, wasting your IRC? :) hehe, how do y ou do it? 10:16 < bithon> like so 10:18 < hiya> I see 11:04 -!- JackWinter [~jack@85.93.203.71] has quit [Quit: Konversation terminated!] 11:06 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 11:12 < hiya> JackWinter, sup? 11:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:08 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 12:09 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has joined #openvpn 12:21 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:27 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 12:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 12:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:36 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 264 seconds] 12:39 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 12:41 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 12:44 -!- chachasmooth [~chachasmo@p4FC5E5F4.dip0.t-ipconnect.de] has joined #openvpn 12:51 < hiya> walnuts, sup 12:51 < hiya> :) 12:52 < _FBi> heya hiya 13:04 < hiya> _FBi, What's up? hows your VPN business? 13:05 < _FBi> starting to pickup again 13:12 < hiya> Cool bro :) 13:12 < hiya> Accept BTC yet? 13:12 < hiya> or Paypal only? 13:22 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 13:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 13:28 < _FBi> paypal only. :( 13:28 < _FBi> I've donated all the money I've made to VeraCrypt and Wikipedia 13:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 13:31 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 13:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:58 < hiya> _FBi, Omg :) such a nice thing :) What is your website? Maybe I would forward of the people to you for VPN :) 13:58 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Remote host closed the connection] 13:59 < _FBi> website is down :D uwantmy.info 14:01 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 14:08 < hiya> lol 14:23 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 15:00 -!- ^CJ^ is now known as ^cj^ 15:06 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-pcgekwnoiakidone] has quit [Quit: Connection closed for inactivity] 15:12 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 15:12 -!- mode/#openvpn [+o krzie] by ChanServ 15:31 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 246 seconds] 16:04 -!- allizom [~Thunderbi@host90-164-dynamic.20-87-r.retail.telecomitalia.it] has joined #openvpn 16:11 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:13 -!- Hadi [~Instantbi@31.59.49.167] has quit [Client Quit] 16:14 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:16 -!- Hadi [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 16:28 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:29 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 16:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:36 -!- allizom [~Thunderbi@host90-164-dynamic.20-87-r.retail.telecomitalia.it] has quit [Quit: allizom] 17:06 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 17:30 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 17:32 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 17:32 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Ping timeout: 265 seconds] 17:32 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 17:48 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 17:53 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 17:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 17:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:06 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 18:15 -!- Daimer [~Daimer34@CPE20a548a1bb39-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has joined #openvpn 18:16 < Daimer> can i inline tls-auth hash into my client.conf file ? 18:18 <@plaisthos> yes 18:18 <@plaisthos> !inline 18:18 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 18:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 18:23 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:24 < Daimer> should i include the 0/1 opposite values for tls-auth directive, or just omit them? 18:29 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 18:29 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 18:33 < Daimer> plaisthos: should i specify key-direction? 18:33 <@krzie> id include it 18:33 < Daimer> or omit from server/client 18:33 < Daimer> ok 18:34 <@krzie> and if you're using inline you need --key-direction 18:34 <@krzie> !inline 18:34 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 18:35 < Daimer> so in server.conf i have >> "tls-auth tls.key 0" and in client.conf i have "inline key-direction 1" 18:38 <@krzie> as long as key-direction 1 is on its own line 18:39 < Daimer> ah ofcourse 18:41 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Ping timeout: 240 seconds] 18:43 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 18:45 < Daimer> I get alot of errors like 18:45 < Daimer> warnings i mean 18:45 < Daimer> WARNING: Bad encapsulated packet length from peer (4930), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 18:52 <@krzie> odds are you're changing things you shouldnt have touched 18:53 <@krzie> !configs 18:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 19:03 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has left #openvpn ["Leaving..."] 19:06 < Daimer> krzie: i get quite alot of those warnings .... would tls-auth help for those warnings ^^ ? 19:08 <@krzie> no 19:08 < Daimer> ok i see 19:09 <@krzie> and without seeing your configs i wont be answering anything else about it 19:13 < Daimer> krzie: yes ofcourse >> http://pastebin.com/UYjwCQYg 19:14 <@krzie> hmm weird 19:14 <@krzie> onces proto udp other is proto tcp 19:14 <@krzie> that shouldnt even connect 19:14 < Daimer> ah yes this is an old file 19:15 < Daimer> even notice one is AES-128 and the other is AES-256 19:15 < Daimer> one second i will paste again 19:15 -!- Socket- [~kerbooom@pool-96-241-142-135.washdc.fios.verizon.net] has joined #openvpn 19:16 < Daimer> krzie: http://pastebin.com/C24AYQZN 19:17 < Socket-> Hello, i am using ovpn on my asus router(server) and android phone(cliet). My phone is able to connect and access internal resources, and inet 19:17 < Socket-> but i want my inet traffic to tunnel through the VPN, any advice? I tried redirect-gateway def1 on the client ovpn 19:17 < Daimer> krzie: i just want to know if tls-auth would help suppress those errors 19:17 <@krzie> Daimer: i have no idea why its doing that then 19:18 <@krzie> no, like i said earlier 19:18 <@krzie> TOTALLY unrelated 19:18 < Daimer> ahh i see ok 19:18 < Daimer> yes i understand 19:18 <@krzie> Socket-: 19:18 <@krzie> !redirect 19:18 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:18 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 19:18 <@krzie> besides redirect-gateway you need to NAT the traffic 19:19 <@krzie> you already have ip forwarding working well since you mentioned internal resources (on the lan i assumed) 19:19 <@krzie> !linnat 19:19 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:19 <@krzie> so something like that should get you going Socket- 19:20 < Socket-> krzie: yeah, and i already have the "redirect-gateway defl" so I guess I just need to configure nat on the asus router? 19:26 <@krzie> no 19:26 <@krzie> oh wait, yes 19:26 <@krzie> asus router = the openvpn server, right? 19:27 < Socket-> yeah, it's running the asuswrt-merlin firmware 19:27 <@krzie> ok so yes 19:27 < Socket-> iv never had to do CLI on it, i normaly use the webgui, but i dont see anything about nat in the vpn config 19:27 <@krzie> you need to NAT the openvpn subnet out as the public ip 19:28 <@krzie> nat is unrelated to the vpn 19:29 < Socket-> ok, so here is my current iptables... 19:29 < Socket-> http://apaste.info/7F4 19:29 < Socket-> and my vpn subnet is 192.168.50.0/24 19:30 < Socket-> so your saying I need to do iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0(lan ip) -j MASQUERADE 19:32 <@krzie> yep 19:32 <@krzie> thats what im saying 19:32 <@krzie> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE 19:32 <@krzie> i didnt look at your rules, but it wont matter 19:32 <@krzie> i use -I to be sure it doesnt matter ;] 19:33 < Socket-> dan@RT-AC68P:/tmp/home/root# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 MASQUERADE 19:33 < Socket-> Bad argument `MASQUERADE' 19:33 <@krzie> -j 19:34 < Socket-> ok, here is my new config 19:34 < Socket-> http://apaste.info/Bof 19:34 < Socket-> i don't see anything listed about masquerade in there 19:35 < Socket-> should there be? 19:35 < Socket-> my phone is still using my cell service IP instead of VPN's public ip 19:42 < Daimer> Socket: your config has nothing to do with MASQUERADE, this is an iptables directive 19:43 < Daimer> Socket: also you can try SNAT 19:44 < Daimer> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 1.2.3.4 19:44 < Socket-> the config im pasting is the output of iptables --list 19:44 < Daimer> 1.2.3.4 = your ip address 19:45 < Socket-> my openvpn's LAN ip address right? 19:45 < Daimer> 192.168.50.0/24 19:45 < Daimer> im assuming its that ^^ ? 19:45 < Socket-> sorry, the --to-sourc option 19:46 < Socket-> dan@RT-AC68P:/tmp/home/root# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j SNAT --to-source 192.168.0.1 19:46 < Socket-> 192.168.0.1 is the LAN ip of my router(openvpn server) 19:46 < Daimer> remove the -o 19:46 < Daimer> -o eth0 19:46 < Socket-> k, yeah i misread what you said 19:47 < Daimer> ok 19:47 < Socket-> do i need to remove the previous MASQUERADE command before i do this? 19:47 < Daimer> and 192.168.0.1 should be your real ipv4 address 19:47 < Daimer> like this 19:47 < Daimer> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 19:47 < Daimer> your WAN ip 19:48 < Daimer> or any other IP if you have more than 1 ip 19:48 < Socket-> k, ill try that 19:48 < Daimer> 96.241.142.135 im assuming this is your WAN ip, if not replace it with your own 19:48 < Socket-> yeah thats mine 19:48 < Socket-> my phone still gets cell ip 19:49 < Daimer> ok, try the rule i pasted above 19:49 < Socket-> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 19:49 < Socket-> that was the command i used 19:49 < Daimer> yes exactly 19:49 < Socket-> my phone still gets cell ip 19:49 < Daimer> now can you access any website? 19:49 < Socket-> i can 19:49 < Daimer> ok, so what is the problem? 19:50 < Socket-> im going to ipchicken and not seeing my openvpns public ip 96... 19:50 < Daimer> which ip are you seeing? 19:50 < Daimer> it should show the ip you SNAT to.... 19:50 < Socket-> my cells ip 66.249.83... 19:50 < Daimer> in this case 96.... 19:50 < Socket-> yeah, it does not do that 19:51 < Daimer> ok ... this is android or ios ? 19:51 < Socket-> android 19:51 < Daimer> ok ... maybe reinstall openvpn app? 19:51 < Socket-> sure, ill try that 19:51 < Daimer> not sure about android, but i know on PC this would be an issue of not starting openvpn with admistrative priviliges 19:52 < Daimer> maybe the openvpn android app requires root? 19:52 < Daimer> i dont know so you will have to check 19:52 < Daimer> i've never used the mobile openvpn app... 19:53 < Daimer> to me it sounds like your device is not setting up the routing tunnel correctly due to the client not having administrative privilege (root) ? 19:54 < Socket-> not sure, i dont see any errors about permission denied 19:55 < Daimer> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en 19:55 < Daimer> are you using this one? 19:55 < Daimer> apparently it does not require root, so disregard what i said about the app not having administrative privelege 19:55 < Socket-> nope, openvpn connect 19:56 < Socket-> https://play.google.com/store/apps/details?id=net.openvpn.openvpn 19:56 < Daimer> ok, i see it also states it does not require root 19:56 < Socket-> ok, reinstalled vpn client, and restarted vpn server 19:57 < Daimer> can you post output of "iptables -nv -L" 19:57 < Socket-> same results 19:57 < Socket-> sure 19:57 < Daimer> you might want to do service iptables save before hand, then connect to the vpn and try to visit a website 19:57 < Socket-> http://apaste.info/bzG 19:57 < Daimer> and then post the output 19:58 < Daimer> hmm wierd 19:59 < Daimer> this is your router? 19:59 < Socket-> yep 19:59 < Socket-> here is my client ovpn if it helps: http://apaste.info/NXU 19:59 < Daimer> because to SNAT to an ip, the ip needs to be attached to a virtual network device 20:00 < Daimer> do you have /etc/sysconfig/network-scripts/eth0 in this router? 20:00 < Socket-> here are my network devices: http://apaste.info/wR3 20:00 < Socket-> checking 20:00 < Daimer> no need, i can see your devices 20:00 < Socket-> nope, no sysconfig 20:01 < Socket-> tun21 = openvpn and eth0 = wanip 20:01 < Daimer> ok ... then im not sure how you would SNAT or MASQUERADE for that matter from a router 20:01 < Daimer> doesnt the router page have an GUI to configure openvpn ? 20:02 <@krzie> iptables --list is NOT how you look at iptables rules 20:02 <@krzie> thats why you dont see your nat stuff 20:02 <@krzie> iptables-save 20:02 <@krzie> and im not sure why Daimer kept giving you different stuff, but use what i said. 20:02 < Socket-> here is the gui: http://imgur.com/lQPjRme 20:02 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 20:03 < Socket-> ok did iptables-save 20:03 < Socket-> should i test, or do i need to remove the snat command you didnt mention 20:03 <@krzie> thats how you look at ruls 20:03 < Daimer> krzie: you are right about not seeing net rules, i just wanted to get a view of how the firewall is setup 20:03 <@krzie> remove the other stuff 20:03 < Daimer> Socket; remove it 20:04 < Daimer> iptables -t nat -D POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 20:04 < Socket-> thanks 20:04 < Socket-> and saved again 20:05 <@krzie> iptables-save doesnt save them 20:05 <@krzie> its how you look at them 20:05 < Socket-> current tables: http://apaste.info/Ydg 20:05 < Socket-> ohh 20:05 < Daimer> Socket: iptables-save > /tmp/rules.txt 20:05 < Daimer> and then post the output of rules.txt 20:05 <@krzie> although you *could* iptables-save > output then modify the "output" file and then iptables-restore < output 20:06 <@krzie> ya, like Daimer said 20:06 < Socket-> k, ill try that, because im not sure where the rules should be placed 20:07 < Socket-> ok, so i did iptables-save > /tmp/rules.txt 20:07 < Socket-> then vi /tmp/rules.txt 20:07 < Socket-> and i already see the MASQUERAE rule in there 20:07 < Socket-> is there any change i need to do before i restore 20:08 < Daimer> Socket: first "service iptables save" 20:08 < Daimer> then "iptables-save > /tmp/rules.txt" 20:09 < Daimer> then post the rules.txt on pastebin 20:09 < Socket-> thats not a valid service in asuswrt-merlin firmware 20:09 < Daimer> ahh ok... 20:09 < Daimer> ok then just post the rules.txt file 20:09 < Socket-> i did iptables-save 20:09 < Daimer> do you see the MASQUERADE rule in there? 20:10 < Socket-> http://apaste.info/PTl 20:10 < Socket-> yep, line 21 20:10 <@krzie> when i configure routers like that i normally put my custom commands into /etc/rc.local 20:10 < Socket-> safe to do iptables-restore ? 20:10 <@krzie> Socket-: did you mod something? 20:10 <@krzie> or is that a unmodified rules.txt? 20:11 < Socket-> I think i have only made 1 modification about the masquerade option you shared 20:11 < Socket-> and that is in the rules.txt 20:11 <@krzie> did you add it to rules.txt or it was already there? 20:12 <@krzie> you only need iptables-restore if you changed rules.txt and want to load the new version 20:12 < Socket-> I'm not sure 20:12 <@krzie> lol 20:12 < Socket-> i did iptables-save > rules.txt 20:12 <@krzie> if you dont know if you changed rules.txt how the hell should anybody else know? 20:12 < Socket-> and then you said i need to modify the file 20:12 < Socket-> but im not sure what to change 20:12 <@krzie> ok 20:12 <@krzie> it looks good, dont change anything 20:12 <@krzie> now go test 20:13 < Socket-> ok, rebooting openvpn to test 20:13 < skyroveRR> krzie: can openvpn, like most unix-like programs, be statically linked? 20:13 <@krzie> sure 20:13 < skyroveRR> Have you linked them statically? 20:14 <@krzie> i have not 20:14 < skyroveRR> And how's the performance? 20:14 < skyroveRR> Ah ok.. 20:14 <@krzie> but im sure the version that came on Socket-'s router's firmware is staticly linked 20:14 < Socket-> krzie: my phone still does not have the 96... IP 20:14 <@krzie> Socket-: did you restart openvpn or reboot the entire router? 20:14 < skyroveRR> krzie: Does it support libcs other than glibc, like musl, diet and uclibc? 20:15 <@krzie> skyroveRR: no idea, check out the configure file 20:15 < Socket-> krzie: just restarted the openvpn service 20:15 < skyroveRR> Ok. 20:15 <@krzie> Socket-: follow this: 20:15 <@krzie> !redirect 20:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 20:15 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 20:15 <@krzie> the flowchart in #4 20:15 <@krzie> tell me where you get stuk 20:15 <@krzie> stuck* 20:16 <@krzie> actually sorry i have to do work now 20:16 <@krzie> the boss just put me in charge for the rest of the day 20:16 <@krzie> bbl 20:18 < Socket-> Can anyone else help me with this flowchart krzie mentioned. I am able to ping the VPN ip. I'm not sure how to tell if the redirect-gate is enabled. It's defined in the options of the clients ovpn file, but how do i tell for sure 20:18 <@krzie> your client logfile 20:18 <@krzie> !logfile 20:18 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 20:21 < Socket-> ok, it says 0[redirect-gateway] [defl] in the android clients log file 20:21 < Socket-> I guess that means it's enabled? 20:21 <@krzie> ya but since you're there look at the logs and see that it added the routes 20:22 < Socket-> route 192.168.0.0 255.255.255.0 20:22 < Socket-> route-gateway 192.168.50.1 20:22 < Socket-> those are the two i see 20:26 -!- reconmaster [~user@96.47.229.59] has quit [Ping timeout: 276 seconds] 20:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 20:32 <@krzie> !logs 20:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:32 <@krzie> from just the client is fine 20:32 <@krzie> ill be slow but i guess works slow enough that im still able to help some =] 20:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:37 < Daimer> krzie: any idea if i can disable these openvpn warnings "WARNING: Bad encapsulated packet length from peer" from filling up my syslog ? 20:38 <@krzie> does your vpn actually work well? 20:38 < Socket-> so, i tested securecomputing ip.php and it said my ip was 96... 20:38 < Socket-> so thats good 20:38 < Socket-> but ipchicken still says 665 20:38 < Socket-> so i guess ipchicken is messed up for me 20:38 < Daimer> Socket: try google "whats my ip" 20:38 < Socket-> i think it's been working for a while just my ip test page was incorrect 20:39 < Daimer> it should tell you your ip address above the first result 20:39 < Socket-> yeah google says 96. also 20:39 < Socket-> so thats good 20:39 < Daimer> ok so all is good? 20:39 < Daimer> maybe that ipchicken website is caching or something? 20:39 < Socket-> thanks for the help, glad i followed the guide and tried an alternate ip checker 20:39 <@krzie> Daimer: you could just disable logging i guess, but i really want to know whats wrong with your vpn, makes no sense that you're getting those errors without messing with knobs in openvpn 20:39 < Daimer> try to control+f5 that page 20:39 <@krzie> i expected to see you messing with tcp settings, but from the configs you showed me you are not 20:40 < Socket-> neither of those keys are on my android keyboard ;) but i think im good 20:40 < Daimer> krzie: im guessing its bot traffic trying to connect to port 80 thinking its web server 20:40 <@krzie> hmm 20:40 <@krzie> if thats true then i change my answer on tls-auth 20:40 <@krzie> lol 20:42 < Daimer> lol :) 20:49 <@krzie> but actually, you may like --port-share 20:51 <@krzie> !port-share 20:51 <@vpnHelper> "port-share" is When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not 20:51 <@vpnHelper> implemented on Windows. 21:07 -!- Toggi3 [jeff@he.ddosd.us] has quit [Ping timeout: 260 seconds] 21:23 -!- tobinski___ [~tobinski@x2f591a3.dyn.telefonica.de] has joined #openvpn 21:23 < Daimer> how can i disable warnings in /var/log/messages 21:23 < Daimer> WARNING: Bad encapsulated packet length from peer (4930), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 21:23 < Daimer> i dont want it to fill up my syslog, how can i disable these warnings? 21:24 < Daimer> in my server.conf i have "verb 0" 21:25 < Daimer> krzie: i dont need port share, because i dont have apache running on port 80 21:25 < Daimer> only openvpn 21:26 <@krzie> did you try tls-auth? 21:26 <@krzie> if your guess about it being a web crawler were right then prt-share or tls-auth will get rid of the warnings 21:26 -!- tobinski_ [~tobinski@x2f5a989.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:27 <@krzie> instead of taking an axe to the logging lets see if you can fix it 21:33 -!- chachasmooth [~chachasmo@p4FC5E5F4.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 21:33 -!- chachasmooth [~chachasmo@p4FC5E78F.dip0.t-ipconnect.de] has joined #openvpn 22:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 22:00 -!- mattock_ is now known as mattock 22:19 -!- Daimer [~Daimer34@CPE20a548a1bb39-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer] 23:04 -!- Hadi [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 23:12 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-csakluwbldattrfa] has joined #openvpn 23:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:58 -!- ShadniX [dagger@p5DDFF905.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:59 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Sun Jan 17 2016 00:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:59 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:26 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 240 seconds] 02:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 02:55 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 02:56 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Client Quit] 02:58 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 03:07 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 265 seconds] 03:21 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:38 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 03:39 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 03:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:54 -!- ^cj^ is now known as ^CJ^ 04:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 04:12 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection] 04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 04:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:47 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 255 seconds] 05:45 -!- shiriru [~shiriru@46.10.54.164] has quit [Remote host closed the connection] 06:53 -!- chachasmooth [~chachasmo@p4FC5E78F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 06:59 -!- rich0_ is now known as rich0 07:15 -!- chachasmooth [~chachasmo@p4FF8EC72.dip0.t-ipconnect.de] has joined #openvpn 07:20 -!- chachasmooth [~chachasmo@p4FF8EC72.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 07:27 -!- zamber [~zamber@78.8.105.64] has quit [Ping timeout: 276 seconds] 07:29 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 07:48 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 07:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 07:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 08:03 -!- chachasmooth [~chachasmo@p4FC5F038.dip0.t-ipconnect.de] has joined #openvpn 08:07 -!- chachasmooth [~chachasmo@p4FC5F038.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 08:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:39 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection] 08:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Read error: Connection timed out] 08:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 09:03 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has quit [Ping timeout: 252 seconds] 09:07 -!- chachasmooth [~chachasmo@p4FC5F920.dip0.t-ipconnect.de] has joined #openvpn 09:14 -!- weox [uid112413@gateway/web/irccloud.com/x-pcsixwwccilkjbki] has quit [Quit: Connection closed for inactivity] 09:17 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 09:34 -!- gmc [~gmc@freenode/sponsor/gmc] has joined #openvpn 09:34 -!- chachasmooth [~chachasmo@p4FC5F920.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 09:46 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 09:48 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 09:58 -!- chachasmooth [~chachasmo@p4FC5F032.dip0.t-ipconnect.de] has joined #openvpn 09:59 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:59 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has quit [Read error: Connection reset by peer] 10:13 -!- chachasmooth [~chachasmo@p4FC5F032.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 10:14 -!- chachasmooth [~chachasmo@p4FF8F332.dip0.t-ipconnect.de] has joined #openvpn 10:32 -!- chachasmooth [~chachasmo@p4FF8F332.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 10:33 -!- chachasmooth [~chachasmo@p4FF8FC95.dip0.t-ipconnect.de] has joined #openvpn 10:40 -!- chachasmooth [~chachasmo@p4FF8FC95.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 10:41 -!- chachasmooth [~chachasmo@p5B12532D.dip0.t-ipconnect.de] has joined #openvpn 10:51 -!- chachasmooth [~chachasmo@p5B12532D.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 11:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 11:21 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn 11:56 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 12:01 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 12:07 < hiya> walnuts, sup 12:18 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has joined #openvpn 12:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 12:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 12:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:44 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 12:51 -!- weox [uid112413@gateway/web/irccloud.com/x-llskdorpwpbvvltu] has joined #openvpn 13:24 -!- chachasmooth [~chachasmo@p4FC5E2CC.dip0.t-ipconnect.de] has joined #openvpn 13:33 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 13:38 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:44 -!- troyt [~troyt@2601:681:4600:3381:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds] 13:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 14:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 14:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:09 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 14:10 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 14:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 256 seconds] 14:28 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 14:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 15:02 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 15:04 < PhSnake> Hi all, plz anyone could help me with configuring OpenVPN (tun)? 15:16 -!- krzie [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 15:21 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 15:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 15:28 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 15:29 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 15:32 -!- Netsplit *.net <-> *.split quits: Nik05, moriko, catsup, eSgr, speeddragon, NP-Hardass, deed02392, THX1138, Neighbour, tekk 15:32 -!- bithon [~bithon@unaffiliated/bithon] has joined #openvpn 15:36 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has quit [Read error: Connection reset by peer] 15:40 -!- Socket- [~kerbooom@pool-96-241-142-135.washdc.fios.verizon.net] has quit [Ping timeout: 245 seconds] 15:59 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 16:00 -!- ^CJ^ is now known as ^cj^ 16:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 16:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 16:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 16:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:06 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 16:08 -!- Netsplit over, joins: catsup 16:08 -!- Netsplit over, joins: Neighbour 16:08 -!- Netsplit over, joins: eSgr 16:08 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:09 -!- Netsplit over, joins: deed02392 16:09 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has joined #openvpn 16:14 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 16:16 -!- AlmogBak_ [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 16:18 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 16:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 16:22 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 16:29 -!- Netsplit *.net <-> *.split quits: mparisi, DzAirmaX, toli 16:30 -!- Netsplit over, joins: toli, DzAirmaX 16:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:38 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 16:38 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 260 seconds] 16:46 -!- u0m3_ [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 16:49 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Ping timeout: 250 seconds] 16:49 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Read error: Connection reset by peer] 16:50 -!- shio [~shio@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 250 seconds] 16:51 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 16:51 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 250 seconds] 16:51 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 250 seconds] 16:51 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 16:52 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Excess Flood] 16:52 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 16:52 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn 16:53 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 250 seconds] 16:54 -!- Brando753-o_O_o is now known as Brando753 16:55 -!- Netsplit *.net <-> *.split quits: Meow-J, Eugene, freekevin, AfroThundr54230 16:57 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-oiyvvpdkypcoahzh] has joined #openvpn 17:00 -!- Eugene [eugene@kashpureff.org] has joined #openvpn 17:00 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 17:01 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 17:01 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 17:05 -!- Aartsie [~Aartsie@92.110.106.24] has joined #openvpn 17:05 < Aartsie> Hi all! 17:06 < Aartsie> I'm Trying to startup a VPN server but i don't get any connection with port 1194 is there a way that i can test if openvpn is working correctly ? 17:09 < Aartsie> When i try netstat -lnp i don't see OpenVPN in the list 17:14 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 17:17 -!- reconmaster [~user@96.47.229.59] has joined #openvpn 17:23 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has joined #openvpn 17:26 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 17:27 < onezuff> i'm running openvpn server on boxA and i'm able to connect to the from boxB and boxC. boxB has a br0 bridged interface and basically loses internet connectivity when i connect, boxC does not have any briged devices and keeps internet 17:27 < onezuff> is theres something else i need to do to get openvpn client to work if i'm using a bridged device on that machine? 17:29 -!- Aartsie [~Aartsie@92.110.106.24] has quit [Ping timeout: 240 seconds] 17:29 -!- reconmaster [~user@96.47.229.59] has quit [Remote host closed the connection] 17:32 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 17:43 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 18:03 -!- AlmogBak_ [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 276 seconds] 18:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:40 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 18:40 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 19:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:31 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 19:44 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 19:44 -!- mode/#openvpn [+o krzie] by ChanServ 19:47 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 264 seconds] 20:01 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 20:09 -!- metaf5 [~metaf5@31.220.42.38] has quit [Quit: WeeChat 1.3] 20:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 20:33 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 20:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:45 -!- Phagus [~Phagus@209.195.114.239] has joined #openvpn 20:47 < Phagus> What's the configuration style called when you want to give someone access to only your local network, but they access the rest of the Internet through their own conection? 21:04 <@krzie> !serverlan 21:04 -!- chachasmooth [~chachasmo@p4FC5E2CC.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 21:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 21:18 -!- chachasmooth [~chachasmo@p4FF8E78E.dip0.t-ipconnect.de] has joined #openvpn 21:21 -!- tobinski_ [~tobinski@x2f58434.dyn.telefonica.de] has joined #openvpn 21:22 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 21:25 -!- tobinski___ [~tobinski@x2f591a3.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:31 < Phagus> Thank you 21:31 < Phagus> Is it possible to have both a Serverlan and a regular VPN tunneling configuration on the same network? 21:33 <@krzie> what exactly do you think is a regular vpn tunneling config? 21:34 <@krzie> a vpn is just a link between 2 machines, then you can choose to setup routing to a lan or to the internet or whatever else you want 21:48 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 21:49 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 21:50 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 22:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 250 seconds] 22:13 < Phagus> Well, I want to know how to have two different configurations for my home network 22:14 < Phagus> One allowing me to have a bridged connection to the internet, another allowing someone to log in and just have access to my local network machines 22:14 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has joined #openvpn 22:20 < illuminated> create 2 seperate server.conf files (be sure to give each instance a unique port) and run 2 instances of openvpn at once. 22:23 < Phagus> Hmm okay 22:24 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 23:13 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 23:25 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has quit [Remote host closed the connection] 23:29 < sara2010> illuminated: there 23:29 < sara2010> illuminated: 2 server.config file how 23:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:48 -!- roentgen [~roentgen@unaffiliated/roentgen] has joined #openvpn 23:48 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:51 < sara2010> ayaz: welcome 23:51 < ayaz> sara2010: Thanks 23:52 < sara2010> ayaz: what can i help you ? 23:52 < ayaz> Nothing in particular at the moment 23:53 < sara2010> ayaz: so r u using openvpn 23:53 < ayaz> Yes 23:55 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 23:58 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:59 -!- ShadniX [dagger@p5DDFE3E8.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Mon Jan 18 2016 00:27 < Phagus> I'm using a TAP configuration. Whenever I try to access an HTTPS or SSH service on my LAN on my VPN, it refuses my connection. How do I get this to work? 00:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 00:36 -!- chachasmooth [~chachasmo@p4FF8E78E.dip0.t-ipconnect.de] has quit [Ping timeout: 256 seconds] 00:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:37 -!- chachasmooth [~chachasmo@p4FF8E79F.dip0.t-ipconnect.de] has joined #openvpn 00:44 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 01:26 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:39 -!- andy09usa [~andy09usa@unaffiliated/andy09usa] has quit [Quit: ZNC 1.6.2 - http://znc.in] 01:41 -!- chachasmooth [~chachasmo@p4FF8E79F.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 01:56 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood] 01:57 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn 02:01 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:02 -!- Phagus [~Phagus@209.195.114.239] has quit [Quit: leaving] 02:27 -!- ^cj^ is now known as ^CJ^ 02:28 -!- rathel [~rathel@184-99-248-32.hlrn.qwest.net] has joined #openvpn 02:28 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 256 seconds] 02:30 < rathel> Hello, I 02:31 < rathel> Hello, I'm running Openvpn client on Archlinux I was wondering if there is anyway I can ignore port 22 from going through vpn. 02:34 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 02:38 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 02:42 -!- chachasmooth [~chachasmo@p4FF8FADB.dip0.t-ipconnect.de] has joined #openvpn 02:48 -!- chachasmooth [~chachasmo@p4FF8FADB.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 02:49 -!- dazo_afk is now known as dazo 02:55 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 03:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:10 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 03:10 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Client Quit] 04:04 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has joined #openvpn 04:20 -!- chachasmooth [~chachasmo@p5B1251EA.dip0.t-ipconnect.de] has joined #openvpn 04:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:24 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 04:24 -!- weox [uid112413@gateway/web/irccloud.com/x-llskdorpwpbvvltu] has quit [Quit: Connection closed for inactivity] 04:26 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 04:27 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 04:35 -!- chachasmooth [~chachasmo@p5B1251EA.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 04:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:37 -!- chachasmooth [~chachasmo@p4FC5E75A.dip0.t-ipconnect.de] has joined #openvpn 05:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 05:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:32 -!- _sajko [sajko@gigabit.nu] has joined #openvpn 05:32 -!- _sajko [sajko@gigabit.nu] has left #openvpn [] 05:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 05:56 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:00 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:19 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:30 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 06:55 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:07 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 07:07 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 07:09 < julianoliver> i can use iptables, of course, but i'd rather be sure i understand the client-to-client option first. when I RTFM it appears that no client-to-client traffic should propagate without it explicitly set 07:37 < hiya> hey bro 07:50 <@ecrist> julianoliver: configs? 07:51 <@ecrist> rathel: you need to block that traffic with a firewall 07:51 <@ecrist> rathel: if you're talking about just not routing port 22 to anything through the VPN, then it gets much harder 08:03 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 08:26 < julianoliver> ok, easy done with iptables then 08:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 08:30 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 08:36 -!- weox [uid112413@gateway/web/irccloud.com/x-kqojebdzbkpehthr] has joined #openvpn 08:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:43 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:11 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 264 seconds] 09:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:15 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 09:44 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Remote host closed the connection] 10:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Max SendQ exceeded] 10:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:11 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:14 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 10:15 < DammitJim> I think I messed something up when creating my client keys 10:15 < DammitJim> I am using easy-rsa 10:15 < DammitJim> and created keys only for 1 client 10:15 < DammitJim> then mistakenly ran ./clean-all 10:15 < DammitJim> how can I create more keys using the same ca.crt that I already have working on an openvpn server and not have to replace everything? 10:15 < DammitJim> thanks!@ 10:16 <@dazo> DammitJim: You can't ... if you have lost the CA key, you have lost the most important and sacred file in a PKI setup 10:17 < DammitJim> no, I still have the CA key 10:17 < DammitJim> but I don't know how to load it into easy-rsa 10:17 <@dazo> the CA *key*, not just the cert? 10:18 < DammitJim> I have all those files... ca.crt, ca.key, dh2048.pem, 01.pem, etc 10:18 < DammitJim> but I don't know why I feel that easy-rsa is expecting me to load those before creating a new key for a client 10:18 <@dazo> wow ... you are more lucky than I'd expect :) 10:19 < DammitJim> thanks dazo ... I guess I should go and buy a lottery ticket 10:19 < DammitJim> (I made a backup right after I created them) 10:19 <@dazo> The ca.key is used to add a the signature in the client/server certificates 10:19 < DammitJim> problem is I keep readin that this information should be saved in a location with no internet connectivity, so I need to change that 10:19 < DammitJim> ok, so is it as simple as just running ./build-key ? 10:20 <@dazo> A certificate is basically a public key, some ownership details (subject, issuers, dates, etc) and a signature created using the CA key .... clients/servers which have a copy of the CA certificate can then authenticate a certificate they receive by using the CA cert 10:20 <@dazo> you may need to hack up a new index file too 10:20 < DammitJim> I guess I am confused because I am going to be generating a new ca.key for another openvpn server and if I ever need to go back and create more keys, I don't know how I would "load" those 10:21 <@dazo> do you know which serial numbers you have used? Or at least the last one? 10:21 < DammitJim> I have the index.txt 10:21 <@dazo> is it up-to-date? 10:21 < DammitJim> and I have the serial file also 10:21 < DammitJim> yes 10:21 < DammitJim> serial says 03 10:21 <@dazo> then you should have everything you need 10:21 <@dazo> so you've issues a CA certificate, a server cert and a client cert 10:22 < DammitJim> ye 10:22 < DammitJim> yes 10:22 < DammitJim> I need to issue a new client cert 10:22 <@dazo> okay, as long as you have those files (do keep an extra backup!) ... you should be good to go again 10:23 <@dazo> do you get any errors when trying to create a new cert? 10:23 < DammitJim> I haven't tried it (didn't want to break anything) 10:23 < DammitJim> let me try it 10:23 <@dazo> as long as you have backup, you can rollback :) 10:24 < DammitJim> Please edit the vars script to reflect your configuration, 10:24 < DammitJim> then source it with "source .vars" 10:24 < DammitJim> I think that's because I mistakenly did a ./clean-all ? 10:24 <@dazo> yeah, do that .... it says ".vars" not ".vars" 10:25 <@dazo> this is a very confusing part of the easy-rsa stuff ... whenever you start a new shell, you need to source the vars file 10:26 <@dazo> http://ss64.com/bash/source.html 10:26 <@vpnHelper> Title: source or dot operator Man Page | Bash | SS64.com (at ss64.com) 10:26 <@dazo> DammitJim: you should consider to move to the new generation of easy-rsa ... https://github.com/OpenVPN/easy-rsa 10:26 <@vpnHelper> Title: OpenVPN/easy-rsa - Shell - GitHub (at github.com) 10:27 <@dazo> a complete rewrite of easy-rsa, making it far more useful 10:27 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Ping timeout: 255 seconds] 10:28 < DammitJim> ok... I did the source ./vars (with the space) 10:28 < DammitJim> it said: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys 10:29 < DammitJim> I'm not going to do a ./clean-all, am I? 10:30 < DammitJim> 'cause I do sudo ./build-key laptop 10:30 < DammitJim> and I get the same error 10:31 < DammitJim> about source ./vars 10:31 -!- AlmogBaku [~AlmogBaku@37.26.146.139] has joined #openvpn 10:32 <@dazo> no, not at all ... if you do that ... it will run 'rm -rf' on your CA files 10:33 <@dazo> read the note carefully, and you see it is just a warning ... it says: "*IF* you run" 10:33 < DammitJim> ok 10:33 < DammitJim> so, what do I do after I source ./vars ? 10:34 <@dazo> you do the ./build-key stuff you wanted .... but remember that when you do 'sudo' you spawn a new shell, which most likely will not carry these settings from ./vars 10:34 < DammitJim> oh 10:35 < DammitJim> so, what do I need to do? 10:35 <@dazo> so do 'sudo su -' ... then source vars and then build-key 10:35 <@dazo> as I said ... the easy-rsa v3 has improved these things 10:36 <@dazo> or you can use another CA tool .... I personally use XCA for my simple private stuff 10:36 < DammitJim> ok, cool. That worked! 10:36 < DammitJim> WOOHOO 10:36 < DammitJim> thanks dazo 10:36 -!- AlmogBaku [~AlmogBaku@37.26.146.139] has quit [Read error: No route to host] 10:36 <@dazo> just remember that these CA files should never ever be saved on the openvpn server or any other publicly available server on the Internet 10:36 < DammitJim> now that I have this client key, I have to create the configuration file on the client that references those keys 10:36 < DammitJim> but what else do I need to do on the server side? 10:37 <@dazo> copy what you have, replace the filenames 10:37 <@dazo> nothing 10:37 <@dazo> that's the key detail of how PKI works 10:37 < DammitJim> oh, the server will accept any key created for that ca? 10:37 <@dazo> yupp 10:37 < DammitJim> sweet! like magic! 10:37 <@dazo> The server only needs 4 files: ca.crt, server.key, server.crt and dh*.pem 10:37 <@dazo> The clients only need 3 files: ca.crt, client.key and client.crt 10:38 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 10:38 <@dazo> (plus the config file of cource) 10:38 < DammitJim> great... I see that 03.pem, index.txt, serial got updated 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:47 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 10:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:56 -!- Mazhive [~peter@telbo-190-4-69-81.cust.telbo.net] has joined #openvpn 11:01 < DammitJim> ok, so how does easy-rsa know to use my ca.crt? 11:01 < DammitJim> or are you saying I should always use the same ca.crt even if I set up a new openvpn server with a different server key? 11:01 < DammitJim> and the only difference is that I edit my vars 11:02 < DammitJim> and then re-source it? 11:17 <@dazo> DammitJim: sourcing ./vars is just to "load the configuration" for the easy-rsa scripts 11:20 <@dazo> DammitJim: A certificate is basically just 1) a public key (for or server/client) 2) Some "owner" info (subject, dates), 3) Issuer information (Who signed this certificate and when), 4) What the certificate can be used for and 5) a signature .... the signature is created using the CA key (which is why it is the most sacred file you'll touch in a long while) ... Clients and servers having a copy of the CA certificate can then authenticate 11:20 <@dazo> any certificate against the CA certificate. If the signature can be validated successfully, it is considered trusted certificate. 11:20 < DammitJim> oh ok 11:20 < DammitJim> how do I "link" a server certificate to that of a client, then? 11:20 <@dazo> When the certificate is validated ... the client/server uses the public key inside the certificate to start negotiating session encryption keys and such 11:21 <@dazo> So that a client can only use a specific server? 11:21 < DammitJim> right 11:21 < DammitJim> so, I set up an openvpn server for my brother in law 11:21 < DammitJim> I want his clients to be able to vpn to his server 11:22 < DammitJim> but I also have an openvpn server that I'd like to set up for myself 11:22 < DammitJim> and I don't want his clients to be able to connect to mine 11:22 <@dazo> Well, you can setup a separate CA and issue separate certificates ... or you can add some additional script hooks which adds extra validation based on contents of the certificate 11:22 <@dazo> look at the --tls-verify script hook 11:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Ping timeout: 260 seconds] 11:23 <@dazo> I've written a more comprehensive plug-in in C which does that in addition to username/password auth ... which also on-the-fly updates iptables, depending on whom is connecting 11:23 <@dazo> !eurephia 11:23 <@vpnHelper> "eurephia" is http://www.eurephia.net/ 11:24 <@dazo> or you can use sub-CAs .... which I doubt is easily doable with easy-rsa 11:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:24 <@krzie> !dazo 11:24 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/ 11:24 <@krzie> hahaha 11:24 <@dazo> hehe 11:25 < Mazhive> hello guys have a problem with permission openvpn on debian wheezy 11:27 < Mazhive> http://paste.debian.net/366485 is the log file 11:28 <@krzie> whats the problem/ 11:28 < Mazhive> can someone give me an insight how to solv this.. 11:28 <@krzie> you dropped permissions, then when you close openvpn it tries to shutdown clean and remove routes and stuff, but it doesnt even need to because when it closes the interface they go too 11:29 <@krzie> so is there an actual problem? 11:30 < Mazhive> hmm so this is normal.. when starting openvpn like testing -- > openvpn --verb 3 --config server.conf 11:30 < Mazhive> and cancel it by ctrl c 11:34 <@krzie> right 11:34 <@krzie> and the warnings were only after the ^C 11:35 <@krzie> if the process was still root openvpn would clean up after itself, since it's not root it cannot 11:38 < Mazhive> oke does openvpn only startup as root ? 11:38 -!- chachasmooth [~chachasmo@p4FC5E75A.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 11:38 < Mazhive> openvpn gives a no such command but if i sudo openvpn it works. 11:39 <@krzie> ya you must start openvpn as root unless you really understand your OS internals well enough to give it the specific permissions it needs, but you drop permissions which is good 11:39 <@krzie> so openvpn is starting as root and doing what it needs to do, then it gets rid of root 11:40 <@krzie> Mon Jan 18 17:52:14 2016 GID set to nogroup Mon Jan 18 17:52:14 2016 UID set to nobody 11:40 < Mazhive> true i've done that. 11:42 -!- chachasmooth [~chachasmo@p4FF8F5C0.dip0.t-ipconnect.de] has joined #openvpn 11:51 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:51 -!- gmc [~gmc@freenode/sponsor/gmc] has quit [Ping timeout: 272 seconds] 11:54 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Quit: “If we don't believe in freedom of expression for people we despise, we don't believe in it at all — Noam Chomsky”] 11:55 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:56 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 12:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:04 -!- kaiza [~kaiza@172.98.67.11] has joined #openvpn 12:24 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 255 seconds] 12:26 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 12:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:40 -!- dazo is now known as dazo_afk 12:41 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:44 -!- weox [uid112413@gateway/web/irccloud.com/x-kqojebdzbkpehthr] has quit [Quit: Connection closed for inactivity] 12:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:48 -!- chachasmooth [~chachasmo@p4FF8F5C0.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 12:54 -!- chachasmooth [~chachasmo@p4FC5E00C.dip0.t-ipconnect.de] has joined #openvpn 12:58 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 13:01 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 13:33 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has quit [Quit: leaving] 13:42 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 14:10 -!- ^CJ^ is now known as ^cj^ 14:13 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 14:15 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 14:15 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:27 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 14:47 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 15:00 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 15:05 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:06 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 15:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 15:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:11 -!- metaf5 [~metaf5@31.220.42.38] has joined #openvpn 15:19 -!- lilibox [~franta_bi@93.99.40.10] has joined #openvpn 15:19 < lilibox> hi 15:20 < lilibox> does this chan provide very clean answers for very lame questions? 15:21 < lilibox> i mean answers that go to happy living with openvpn... :) 15:21 < lilibox> !welcome 15:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:22 < lilibox> !route 15:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 15:22 <@vpnHelper> client 15:42 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 240 seconds] 15:45 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 16:08 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 240 seconds] 16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:22 -!- chachasmooth [~chachasmo@p4FC5E00C.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 16:23 -!- chachasmooth [~chachasmo@p5B125419.dip0.t-ipconnect.de] has joined #openvpn 16:26 -!- Hadi1 [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 16:29 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 260 seconds] 16:29 -!- Hadi1 is now known as Hadi 16:42 -!- weox [uid112413@gateway/web/irccloud.com/x-rndaqsvojhwdyafz] has joined #openvpn 16:42 -!- atralheaven [~atralheav@151.238.13.77] has joined #openvpn 16:43 < atralheaven> hello 16:43 < atralheaven> I don't know why my openvpn log file has nothing inside of it...? just few lines that are not logged stuff 16:44 < atralheaven> server.conf file 'verb' is 3 16:45 < atralheaven> I want to know who has been connected to openvpn 16:46 < atralheaven> should I change 'verb' value in server.conf? 16:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:49 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:53 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:55 -!- atralheaven [~atralheav@151.238.13.77] has quit [Ping timeout: 240 seconds] 16:55 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 17:03 -!- Mazhive [~peter@telbo-190-4-69-81.cust.telbo.net] has quit [Ping timeout: 260 seconds] 17:04 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:06 -!- atralheaven [~atralheav@37.48.90.208] has quit [Ping timeout: 260 seconds] 17:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:35 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 17:41 -!- ferret_guy [9687d248@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.72] has joined #openvpn 17:42 < ferret_guy> So I have a bridged openvpn setup right now, I can ping across the tunnel but not much else not sure where the issue may lie 17:53 -!- Mazhive [~peter@telbo-200-6-151-177.cust.telbo.net] has joined #openvpn 18:15 -!- lilibox [~franta_bi@93.99.40.10] has quit [Ping timeout: 260 seconds] 18:19 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has joined #openvpn 18:31 -!- ferret_guy [9687d248@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.72] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 18:43 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 18:44 -!- tharkun [~0@unaffiliated/tharkun] has quit [Remote host closed the connection] 18:47 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Client Quit] 18:47 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 18:48 -!- Hamburglr [~textual@c-68-48-129-250.hsd1.mi.comcast.net] has joined #openvpn 18:52 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 18:52 -!- Hadi1 [~Instantbi@31.59.49.167] has joined #openvpn 18:53 -!- Hadi1 [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 18:54 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 264 seconds] 19:13 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 19:21 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has joined #openvpn 19:21 < onezuff> i lose internet when connecting to my openvpn server from a machine that is running a bridged interface? here is my routing table before/after - http://pastebin.com/BYr8uxrD - what is going wrong here? 19:24 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 20:01 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 20:01 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Client Quit] 20:08 -!- designbybeck [~designbyb@74.197.67.210] has joined #openvpn 20:37 -!- Mazhive [~peter@telbo-200-6-151-177.cust.telbo.net] has quit [Ping timeout: 255 seconds] 20:47 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 20:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:09 < designbybeck> anyone use dnsdynamic.org ? are they legit? 21:10 -!- chachasmooth [~chachasmo@p5B125419.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 21:11 -!- chachasmooth [~chachasmo@p5B125E16.dip0.t-ipconnect.de] has joined #openvpn 21:12 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Ping timeout: 245 seconds] 21:13 < illuminated> onezuff, do you have SNAT configured on the digital ocean vps? 21:15 < onezuff> am i supposed to illuminated ? it works fine on machiens without a br0 device 21:17 < illuminated> well then i don't know 21:20 -!- tobinski___ [~tobinski@x2f5a922.dyn.telefonica.de] has joined #openvpn 21:24 -!- tobinski_ [~tobinski@x2f58434.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:43 -!- designbybeck [~designbyb@74.197.67.210] has quit [Quit: Leaving] 22:21 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 22:26 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 22:35 -!- Hamburglr [~textual@c-68-48-129-250.hsd1.mi.comcast.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 22:44 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 22:44 < kojin> hi all 22:45 < hiya> hi 22:47 < kojin> hiya, there is a max download speed under openvpn in routed mode with tun device? 22:48 < hiya> 1Gbps 22:48 < hiya> :) 22:48 < hiya> I don't think there is maximum speed but when you have 1Gbps+ bandwidth, you need some help 22:50 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [] 22:51 < kojin> yes... I've a problem with my vpn, I've a VPN on soyoustart.com datacenter with a bandwidth of 250Mbps, at home I've 100Mbps, but in VPN I still download at 15Mbps 22:52 < hiya> kojin, it depends on the distance and a lot of things 22:52 < kojin> I've read some article about that and I've increased the speed from 2Mbps to 15Mbps... But for the bandwidth that I have, I think that is a bit slow 22:52 < kojin> I'm in Italy (Milano) and the server is in France 22:53 < hiya> it should be fine 22:53 < _FBi> MTU's can be a problem too. HAving a crappy VPS can also slow you down. 22:53 < _FBi> good night guys 22:53 < hiya> I think you should try my VPN server and see if it is any better for you 22:53 < hiya> gn 22:53 < hiya> kojin, people from US get 30 Mbps on my server 22:53 < hiya> kojin, I host in EU 22:55 < kojin> I've set my optimal MTU (1470) in the client config 22:55 < kojin> how much hardware requires a vpn server to work properly? 22:55 < kojin> hiya, how can I try you server? 22:56 < hiya> kojin, I invited you to my channel 22:56 < hiya> and follow the instruction 22:57 < kojin> ok thanks 23:12 -!- uiyice [~uiywtf@69.143.201.7] has joined #openvpn 23:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded] 23:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:46 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 245 seconds] 23:57 -!- ShadniX [dagger@p5DDFE3E8.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:58 -!- ShadniX [dagger@p5DDFD405.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Tue Jan 19 2016 00:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 00:20 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has quit [Quit: ZNC - http://znc.in] 00:27 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 00:36 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 00:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:49 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 00:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 00:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:05 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 250 seconds] 01:12 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has joined #openvpn 01:12 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 01:16 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 260 seconds] 01:19 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 01:31 < kojin> guys can you help me please? I'm configuring my openvpn server but I get tls handshake error... It is not a firewall error since with tcpdum the packer are received from the server. 01:31 < kojin> Here my config: firewall conf: http://fpaste.org/312227/ 01:31 < kojin> server.conf http://fpaste.org/312228/ 01:31 < kojin> client.ovpn http://fpaste.org/312229/ 01:37 < kojin> sorry the firewall rules are wrong... here is the correct http://fpaste.org/312232/ 01:40 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 240 seconds] 01:54 -!- kojin [~kojin@unaffiliated/kojin] has quit [Quit: Leaving] 01:54 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 02:19 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 265 seconds] 02:22 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 245 seconds] 02:47 < hiya> tls handshake error = mostly new OVPN server vs client client 02:50 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 02:52 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:53 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 250 seconds] 03:05 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 03:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 03:23 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:28 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has left #openvpn [] 03:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 03:47 < hiya> hey what's up bro 03:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:03 -!- dazo_afk is now known as dazo 04:21 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:23 -!- swebb [~swebb@192.152.130.179] has quit [Ping timeout: 272 seconds] 04:27 -!- swebb [~swebb@192.152.130.179] has joined #openvpn 04:29 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 04:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 04:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 05:01 -!- rathel [~rathel@184-99-248-32.hlrn.qwest.net] has quit [Ping timeout: 256 seconds] 05:20 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 05:25 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Client Quit] 05:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-oiyvvpdkypcoahzh] has quit [Quit: Connection closed for inactivity] 05:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 05:36 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 05:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:07 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has joined #openvpn 06:08 < andriijas> any os x expert here? ive setup openvpn in os x 10.11 im only mssing firewall rules for allowing all trafic from tun device to en0 and vice versa. ive used ipfw before but seems its deprecated in favor of pfctl 06:11 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:12 -!- veilg [~veilg@217.138.46.238] has joined #openvpn 06:18 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has quit [Ping timeout: 252 seconds] 06:19 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:21 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 06:22 -!- paaltomo_ [~paaltomo@159.203.30.107] has joined #openvpn 06:23 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn 06:24 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:37 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Ping timeout: 264 seconds] 06:43 < andriijas> got it 06:43 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has left #openvpn [] 06:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:51 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 06:55 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 07:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 07:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 07:57 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 07:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:06 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:13 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 260 seconds] 08:14 -!- chachasmooth [~chachasmo@p5B125E16.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 08:16 -!- chachasmooth [~chachasmo@p5B125E0B.dip0.t-ipconnect.de] has joined #openvpn 08:18 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-gpfqazxtwbswspjb] has joined #openvpn 08:18 -!- arcsky [~arcsky@87.117.231.108] has joined #openvpn 08:19 < arcsky> hi do i need to register an account if i just want to have a private tunnel ? 08:25 -!- weox [uid112413@gateway/web/irccloud.com/x-rndaqsvojhwdyafz] has quit [Quit: Connection closed for inactivity] 08:28 -!- weox [uid112413@gateway/web/irccloud.com/x-uzatwrywdgukrqle] has joined #openvpn 08:36 < Poster> You can run a tunnel on your own without any type of registration 08:36 < Poster> where are you looking that made you think you needed to register somewhere? 08:37 < arcsky> PrivateTunnel 2.5 08:37 < arcsky> email / password 08:38 < Poster> ok I don't think that has anything to do with OpenVPN 08:38 < Poster> they may use it, but it's not supported here 08:38 < arcsky> openvpn-install-2.3.10-I601-x86_64.exe is this correct? 08:39 < Poster> ok so it looks like it may be related, but you don't have to use it if you just want to establish your own client and server system 08:40 -!- varesa- [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has joined #openvpn 08:40 < arcsky> what windows client should i use then? 08:43 < Poster> ok let's start with what specifically you're trying to accomplish 08:43 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 272 seconds] 08:43 < Poster> !goal 08:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 08:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 08:59 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:03 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 250 seconds] 09:05 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 09:06 < DammitJim> ok, so how do I configure 2 different VPN servers for 2 different people and not let clients be able to connect to both VPN servers? 09:06 < DammitJim> I understand that with a single CA, that's not possible? 09:07 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 09:10 < Poster> pretty much yeah 09:15 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:19 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 09:24 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 09:27 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 09:27 < DammitJim> sorry, got disconnected 09:27 < DammitJim> ok, so how do I configure 2 different VPN servers for 2 different people and not let clients be able to connect to both VPN servers? 09:27 < DammitJim> I understand that with a single CA, that's not possible? 09:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:29 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: bye] 09:33 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 09:33 -!- ^cj^ is now known as ^CJ^ 09:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:35 < DArqueBishop> DammitJim: not really. Even if it's possible, I would argue that it would be good practice and trivial to set up separate CAs for the two servers. 09:37 < DammitJim> DArqueBishop, thank you! 09:37 < DammitJim> so, I should just generate a new CA, right? 09:37 < DammitJim> I think I've done that in the past, but not with easy-rsa 09:38 < DammitJim> I don't know how I would go back to easy-rsa and generate more client keys for a CA that I used a couple of months ago 09:38 < DArqueBishop> I'd create a second easy-rsa install for it, but that's just me. 09:38 < DammitJim> and I have generated a new CA 09:38 < DammitJim> oh 09:38 < DammitJim> interesting! 09:39 < DArqueBishop> Personally, I actually have easy-rsa on a dedicated VM, separate from the OpenVPN server. 09:39 < DammitJim> ooohhhhh 09:39 < DammitJim> and different easy-rsa environments 09:39 < DammitJim> nice 09:42 < DammitJim> DArqueBishop, do I just copy the folder? 10:09 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 10:23 -!- toli [~toli@ip-62-235-242-236.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 10:35 -!- weox [uid112413@gateway/web/irccloud.com/x-uzatwrywdgukrqle] has quit [Quit: Connection closed for inactivity] 10:46 -!- veilg [~veilg@217.138.46.238] has quit [] 11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:20 < arcsky> good evening, does anyone know if my config are wrong in some way ? http://pastebin.com/GPZpEPxE i cant get it to work. my goal is windows 10 default route to my server over the openvpn. 11:29 < hiya> arcsky, client.conf has dev tap which differs from dev tun :) 11:29 < hiya> change it 11:32 < arcsky> hiya: still doesnt work 11:34 < arcsky> http://pastebin.com/huc6h21M from client log 11:39 < arcsky> i did add remote-cert-tls server and restarted it and its connected now. how can i do with the settings so my client get ip + add the default route? 11:41 -!- kojin [05a9629c@gateway/web/freenode/ip.5.169.98.156] has joined #openvpn 11:42 < kojin> hi all 11:42 < kojin> I've a problem with my openvpn server, I get this error TLS Error: client->client or server->server connection attempted from 11:43 < kojin> can someone help me plese? 11:55 < xamindar> looks like the error is missing some information 11:58 < hiya> joako, sup 11:58 < hiya> kojin, sup 11:59 < kojin> hi hiya 11:59 < hiya> arcsky, push "redirect-gateway def1 bypass-dhcp" 11:59 < hiya> push "dhcp-option DNS 84.200.69.80" 11:59 < hiya> push "dhcp-option DNS 84.200.70.40" 11:59 < hiya> arcsky, add this to server.conf 12:00 < hiya> kojin, What is wrong? I think your serer is New version of OpenVPN on client/server than other 12:00 < hiya> Are you using same on both? 12:00 < kojin> yes 12:00 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 12:03 < hiya> kojin, Are you using peer to peer connection? 12:03 < kojin> i'm using routed ip, tun interface 12:05 < kojin> hiya: firewall conf http://fpaste.org/312489/ 12:05 < hiya> is it openvpn 2.3.4? 12:05 < kojin> server.conf http://fpaste.org/312490/ 12:05 < kojin> client.ovpn http://fpaste.org/312491/ 12:06 < arcsky> hiya: my client doesnt get any ip or route 12:09 < hiya> kojin, client.ovpn line 42 add remote 12:09 < hiya> arcsky, I don't know bro :( 12:09 < kojin> hiya: sorry, remote is in client 12:10 < hiya> kojin, What is that 53? 12:11 < hiya> kojin, that line looks bad 12:11 < hiya> :) 12:11 < hiya> 42 12:11 < hiya> arcsky, Clean your configuration files and give some logs 12:11 < kojin> hiya: is default config 12:12 < hiya> kojin, remote SERVERIP PORTNUMBER 12:12 < hiya> kojin, So it would 12:12 < hiya> remote SERVERIP 1194 12:12 < hiya> for you in line 42 12:13 < kojin> I can't 1194 is blocked by my corporate firewall 12:13 < kojin> I've add redirect rule in PREROUTING chain 12:14 < kojin> hiya: If you want client.log http://fpaste.org/312496/14532271/ 12:16 < hiya> your setup is a bit weird 12:16 < hiya> :) 12:17 < kojin> why hiya ? 12:18 < hiya> something is wrong, I mean I don't know how did you end up with that port 12:18 < hiya> 53 12:20 < kojin> hiya: since my corporate firewall block the 1194 udp in outgoing, I must use the 53udp that is open (DNS). So i make the request in this way ip_server:53... In prerouting chain on the server I've added a rule that the incoming request on 53 are redirect to 1194 that is the port where openvpn listen on 12:23 < arcsky> log openvpn.log can i get more verbose? 12:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:35 < hiya> kojin, I see 12:36 < hiya> arcsky, verb 5 12:36 < hiya> or 6 12:37 -!- dvl_ [~dvl@freebsd/developer/dvl] has joined #openvpn 12:37 -!- dan_j_ [sid21651@gateway/web/irccloud.com/x-lixdxyvhgpblotuy] has joined #openvpn 12:38 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Ping timeout: 255 seconds] 12:38 -!- dan_j [sid21651@gateway/web/irccloud.com/x-owbpidantmycmoin] has quit [Ping timeout: 255 seconds] 12:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 255 seconds] 12:38 -!- dan_j_ is now known as dan_j 12:38 -!- dvl_ is now known as dvl 12:38 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 255 seconds] 12:38 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 12:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 12:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 12:40 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 12:40 < arcsky> hiya: i finally got ip on the client 12:41 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Max SendQ exceeded] 12:41 -!- kaiza [~kaiza@172.98.67.11] has quit [Ping timeout: 260 seconds] 12:44 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:45 -!- Tenhi_ [~tenhi@69.64.50.196] has quit [K-Lined] 12:45 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn 12:45 < arcsky> http://pastebin.com/88mMqyyM 12:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:49 -!- toli [~toli@62.235.78.187] has joined #openvpn 12:52 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 264 seconds] 12:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 13:02 -!- liuyuan [823fa549@gateway/web/freenode/ip.130.63.165.73] has joined #openvpn 13:05 < liuyuan> !configs 13:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:06 < liuyuan> !paste 13:06 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:06 < liuyuan> !logs 13:06 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 13:07 < arcsky> liuyuan: whats that for me ? 13:07 -!- varesa- is now known as varesa 13:07 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 260 seconds] 13:08 < liuyuan> no, I was about to ask some questions 13:08 < liuyuan> but I think I may have found some solutiions 13:08 < arcsky> ok 13:09 < arcsky> hiya: any clue ? 13:20 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 13:24 -!- kojin [05a9629c@gateway/web/freenode/ip.5.169.98.156] has quit [Ping timeout: 252 seconds] 13:30 -!- liuyuan [823fa549@gateway/web/freenode/ip.130.63.165.73] has quit [Quit: Page closed] 13:35 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Remote host closed the connection] 13:38 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 13:46 -!- dazo is now known as dazo_afk 13:51 -!- arlen [~arlen@jarvis.arlen.io] has quit [Ping timeout: 240 seconds] 13:55 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 14:02 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 240 seconds] 14:04 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 14:04 -!- ustn [~ustn@p4FDB15DB.dip0.t-ipconnect.de] has joined #openvpn 14:06 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 260 seconds] 14:10 < arcsky> anyone must know 14:23 < zoredache> arcsky: not sure what you are asking the route table in your past pastebin shows routes for 0.0.0.0/1 and 128.0.0.1/1. 14:27 < arcsky> zoredache: i want my server.conf send default route to the client. 14:27 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:29 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 14:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 14:31 < zoredache> Right, and I am saying from your netstat output, you have done that. 14:32 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 250 seconds] 14:33 -!- Whoopie [Whoopie@unaffiliated/whoopie] has joined #openvpn 14:33 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:34 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 14:34 < Whoopie> Hi, I tried to setup a routed VPN connection with IPv4 and IPv6. IPv4 works fine, but with IPv6, I can't get it working to push a default route. I tried "push-ipv6 ::/0", but this doesn't replace my current default route. 14:35 < Whoopie> If I own have a IPv4 LAN connection, the pushed route works for IPv6. But not, if the LAN connection is dual-stack. Any ideas? 14:39 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 276 seconds] 14:40 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:41 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 265 seconds] 14:43 < arcsky> zoredache: ok i can reach the internet now trough the vpn but how can i reach the 172.16.0.1 from the clients 172.16.0.6 ? 14:45 -!- damme [~damme@2001:16d8:cc75::72e] has joined #openvpn 15:05 < damme> anyone using openwrt with openvpn? I am trying to make a seperate network to route via vpn, if I run on vpnserver #push "redirect-gateway local def1" it works, but then all traffic goes through vpn 15:05 < damme> if I run server with push "route 10.43.0.0 255.255.255.0" traffic reaches the server tun0 interface, but 15:46:46.196909 IP 10.8.0.6 > 10.43.0.157: ICMP google-public-dns-a.google.com protocol 1 port 61929 unreachable, length 92 15:06 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 255 seconds] 15:06 <@krzie> what network do you want to route over the vpn 15:06 <@krzie> the lan behind the server? 15:08 < damme> internet :) server [vps] has internet and vpnserver, I want to be able from openwrt to route as normal for lan, but I have a secondary net wich I want to go through vpn and out to internet 15:08 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:09 < damme> so basically, I want to server vps to nat vpn 15:10 <@krzie> so you want redirect-gateway unless i missed something... 15:11 <@krzie> ohh wait a sec... the router is a vpn client, not server? 15:12 < damme> krzie, almost, if I run redirect-gateway local def1 all traffic runs to vps vpn and that works. but I dont want _everything_ to go there, only those who specify 10.8.0.6 (assigned from server to client) as gateway 15:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 15:21 < damme> krzie, missed your second line, yes router is vpn client 15:22 < damme> vpn server is named vps 15:22 -!- soLucien [~Lu@130.225.165.39] has joined #openvpn 15:22 < damme> so I want to be able to use vpn client in as gateway and run out from vps 15:22 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 256 seconds] 15:23 < soLucien> hello guys ! I'm having trouble with OVPN on Windows. I have setup my VPN server so that it pushes its own DNS server to the clients. It works when i connect, but after a while, the DNS is "forgotten", and it is replaced by my default one 15:24 < soLucien> i have also observed this behavior when i re-install ovpn as well 15:24 < soLucien> it works for a while, then the DNS changes 15:27 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 15:29 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 15:32 < arcsky> is there any website which can looks for DNS leaks ? 15:32 < arcsky> or how can i check for it 15:34 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 15:39 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds] 15:40 -!- ustn [~ustn@p4FDB15DB.dip0.t-ipconnect.de] has quit [Quit: ustn] 15:41 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:42 -!- ^CJ^ is now known as ^cj^ 15:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:47 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 15:57 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 15:59 -!- damme [~damme@2001:16d8:cc75::72e] has quit [Ping timeout: 250 seconds] 16:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:08 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 16:09 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 272 seconds] 16:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:55 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:59 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 17:00 -!- paaltomo_ [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 17:00 -!- soLucien [~Lu@130.225.165.39] has quit [Quit: Leaving] 17:03 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 17:04 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:14 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:16 <@krzie> oh he left 17:16 <@krzie> too bad, i got busy at work but was going to help him 17:18 <@krzie> arcsky: according to google: https://www.dnsleaktest.com/ 17:18 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com) 17:18 <@krzie> well actually i didnt use google :-p https://duckduckgo.com/?q=dns+leak 17:18 <@vpnHelper> Title: dns leak at DuckDuckGo (at duckduckgo.com) 17:18 <@krzie> first 4 hits were answers to your question, leading me to believe you didnt check 17:54 -!- weox [uid112413@gateway/web/irccloud.com/x-qekpbchbsqfwjyyh] has joined #openvpn 18:26 -!- Mazhive [~peter@telbo-200-6-150-250.cust.telbo.net] has joined #openvpn 18:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:32 < Mazhive> ./build-key client1 18:32 < Mazhive> pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/keys 18:32 < Mazhive> Try pkitool --initca to build a root certificate/key. 18:32 < Mazhive> does this mean i have to decrypt those files as they are available in this folder. 18:32 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 264 seconds] 18:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:45 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 260 seconds] 18:54 -!- dvl [~dvl@freebsd/developer/dvl] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 19:05 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has left #openvpn ["Leaving"] 19:09 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection] 19:10 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 19:11 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 260 seconds] 19:22 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:24 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:27 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:55 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn 19:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 20:16 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn 20:50 -!- DracoDan [~no@pool-96-231-184-212.washdc.fios.verizon.net] has joined #openvpn 20:51 < DracoDan> just deployed the latest ESXi appliance via OVA, but I can't seem to reconfigure the IP address 20:54 < DracoDan> when I try to and then do an ifdown eth && ifup eth0 I get "Error: either "local" is duplicate or "netmask" is a garbage" 20:54 < DracoDan> yes, it is a garbage... 20:54 < DracoDan> the guide on the openvpn site says to go to ip:5480, which nothing is listening on... 20:55 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"] 20:55 < DracoDan> I followed the guide here https://openvpn.net/index.php/access-server/download-openvpn-as-vm/469-deploying-openvpn-access-server-from-an-ovf-template-in-vmware-esxi-environment.html 20:56 <@vpnHelper> Title: Deploying OpenVPN Access Server from an OVF Template in VMWare ESXi Environment (at openvpn.net) 21:00 < DracoDan> nevermind, this document is just poorly written, it's missing a bunch of carriage returns... 21:05 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 21:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:19 -!- tobinski_ [~tobinski@x2f5835c.dyn.telefonica.de] has joined #openvpn 21:23 -!- tobinski___ [~tobinski@x2f5a922.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:36 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds] 21:37 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 21:39 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 21:43 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:49 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 260 seconds] 21:55 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 276 seconds] 21:56 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 21:58 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has joined #openvpn 21:58 -!- chachasmooth [~chachasmo@p5B125E0B.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 22:00 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 22:01 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn 22:04 -!- chachasmooth [~chachasmo@p5B125219.dip0.t-ipconnect.de] has joined #openvpn 22:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:00 < hiya> Hello people 23:00 < hiya> arcsky, hey 23:09 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has quit [Quit: out] 23:15 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 23:22 -!- nitdega [~nitdega@2602:306:2420:b291:68a7:b3a:42c6:83c7] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 23:30 -!- nitdega [~nitdega@2602:304:ab12:4401:ea57:e16c:d410:4e4c] has joined #openvpn 23:39 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:39 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 276 seconds] 23:43 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has joined #openvpn 23:45 -!- banco [~ban@212.164.222.212] has joined #openvpn 23:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 23:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 23:56 -!- ShadniX [dagger@p5DDFD405.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:57 -!- ShadniX [dagger@p5DDFD9E7.dip0.t-ipconnect.de] has joined #openvpn 23:59 -!- ju1c3d [~juiced@wm-002.juiced.net] has joined #openvpn --- Day changed Wed Jan 20 2016 00:01 < ju1c3d> Hi all, I came here for a quick question...when will AEAD cipher modes be available in openvpn? Is there maybe already a test version somewhere available? 00:02 < ju1c3d> !ovpnuke 00:02 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 00:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 276 seconds] 00:05 < ju1c3d> !welcome 00:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:06 < hiya> ju1c3d, Is it really possible? 00:06 < hiya> to crash a server like this so easily? 00:06 < ju1c3d> ehh...w00t? 00:06 < ju1c3d> oh ah...ovpnuke 00:07 < hiya> Yep 00:07 < hiya> Do you host an OVPN server? 00:07 < ju1c3d> yes.. 00:09 < hiya> Where? 00:09 < hiya> I host one too 00:09 < ju1c3d> hiya: you can see this "!ovpnuke" /topic btw 00:09 < hiya> I prove to people who need it 00:09 < hiya> :) 00:09 < hiya> for gratis 00:09 < hiya> do you? 00:09 < ju1c3d> *in /topic 00:10 < ju1c3d> i have a server at digitalocean for example 00:11 < ju1c3d> and i'm building a service around it...i have a osx app so far to connect 00:12 < ju1c3d> and not gratis, somebody has to pay for the servers ;) 00:19 < ju1c3d> it will be cheap though 00:19 < ju1c3d> but anyways...is this the openvpn developers channel? 00:19 < hiya> I don't know 00:20 < hiya> it is general help channel 00:21 < ju1c3d> ah ok..thanks 00:23 < ju1c3d> i found a different channel: #openvpn-devel 00:24 < hiya> ju1c3d, if you need access to server as a client PM me :) 00:25 < ju1c3d> thanks, but i'm running my own servers :) 00:40 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has joined #openvpn 00:41 -!- MogDog [~mogdog@mog.dog] has quit [Ping timeout: 276 seconds] 00:41 -!- ju1c3d [~juiced@wm-002.juiced.net] has quit [Quit: leaving] 00:42 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 00:47 -!- u0m3__ [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 00:50 -!- u0m3_ [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Ping timeout: 256 seconds] 01:04 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 01:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:27 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has quit [Quit: ZOMBIES!] 01:30 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has joined #openvpn 01:35 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has quit [Read error: Connection reset by peer] 01:40 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has joined #openvpn 01:48 -!- ade_ [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 01:56 -!- AlmogBaku [~AlmogBaku@37.26.149.193] has joined #openvpn 02:00 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:00 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 02:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 02:15 -!- weox [uid112413@gateway/web/irccloud.com/x-qekpbchbsqfwjyyh] has quit [Quit: Connection closed for inactivity] 02:16 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 02:25 -!- Six6siX [~Devil@Fly6.londonm.co] has joined #openvpn 02:26 < Six6siX> Is it possible to have a configuration file for both ipv4 and ipv6 in one connection 02:30 < Six6siX> Anyone around? 02:34 -!- AlmogBaku [~AlmogBaku@37.26.149.193] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:39 -!- Six6siX [~Devil@Fly6.londonm.co] has quit [Quit: Online all the time] 02:39 -!- Six6siX [~Devil@Fly6.LondonM.CO] has joined #openvpn 02:48 -!- shneh [~kebvk@unaffiliated/shneh] has joined #openvpn 02:50 < shneh> I am using OpenVPN for Android 0.6.46 on Cyanogenmod 11 (Android 4.4.4) and once I connect to the OpenVPN server, I get the following errors: 02:51 < shneh> "Write UDP Operation not permitted (code=1)" 02:51 < shneh> "read UDP Connection refused (code=111)" 02:51 < shneh> i.e. I successfully connect to the server, but it does not work. 02:52 < shneh> The server log indicates no problem 02:52 < shneh> I am connecting over 3G, not wifi. 02:53 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 250 seconds] 02:55 < shneh> I also get "write UDP [ECONNREFUSED]: Operation not permitted (code=1)" 02:55 < shneh> searching online did not produce anything of use 02:56 -!- dazo_afk is now known as dazo 02:58 -!- ^cj^ is now known as ^CJ^ 02:58 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 265 seconds] 03:00 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 03:02 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 272 seconds] 03:04 < shneh> I have no firewall on Android 03:04 < shneh> and the server is not blocking it either because connecting from linux/windows works 03:15 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:22 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 03:25 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Ping timeout: 255 seconds] 03:35 -!- f31n [~f31n@chello080108087069.7.11.vie.surfer.at] has left #openvpn [] 03:54 -!- toli [~toli@62.235.78.187] has quit [Ping timeout: 246 seconds] 03:58 < hiya> Can we manage openvpn server using 512MB 03:58 < Six6siX> yeah. 03:59 < shneh> When I use tcp instead of udp, I get "read TCP_CLIENT []: Connection refused (code=111)" 03:59 < hiya> Six6siX, but my KVM is always using 635 MB of memory 03:59 < hiya> does 32-bit take more memory? 04:00 < hiya> Debian 8 end up taking 600+ MB of memory 04:13 < Six6siX> have some vmem set then 04:13 < hiya> Six6siX, ok 04:14 < hiya> Six6siX, generally 512 MB ram is enough to host OpenVPN server with 100 Mbps port? 04:14 < Six6siX> i take it you're running it on a vps? 04:14 < hiya> KVM VPS 04:14 < hiya> Debian Jessie Minimal 04:14 < Six6siX> you should be able to run it on that and allow a few users 04:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 04:17 < hiya> Six6siX, 10? 04:17 < hiya> 10 would be fine? 04:17 < Six6siX> depends on your vps setup... is it purely a openvpn server 04:18 < Six6siX> couldn't say 100% but try it... if it crashes reduce the number of users 04:18 < Six6siX> mine doesnt use hardly any memory 04:18 < hiya> How much memory do you have? 04:18 < hiya> Do you have a KVM too? 04:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Client Quit] 04:18 < Six6siX> i've got 1 gig of ram 2 gig of vmem.. 04:19 < Six6siX> around a 3 - 5 users on openvpn, and a whole bunch of other stuff running on it 04:20 < Six6siX> you can always upgrade your vps if you've gone with a decent provider 04:20 < Six6siX> some are instant upgrades too 04:28 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 04:29 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 04:29 < shneh> new information: everything works when I use wifi, only 3G does not work. Checking the difference in logs, when connected over 3G no vpn routes are added according to log. 04:29 < shneh> whereas when using wifi, I get the routes added 04:30 < shneh> over 3G, the following are empty in the log: "Routes excluded" "VpnService routes installed" 04:31 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 04:31 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:47 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 250 seconds] 04:47 < shneh> is there a more suitable channel to ask my question? 04:53 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has joined #openvpn 04:54 < kojin> hi all 04:54 < kojin> where I can find the openvpn log? 05:05 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has quit [Quit: Page closed] 05:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:27 -!- ade_ [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 05:30 < hiya> Six6siX, I think getting 1G of VPS is the only option I have 05:32 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 05:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 05:42 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 05:52 <@dazo> hiya: OpenVPN requires very little memory. I''ve run it on even smaller systems than 512MB RAM. For VPSes ... check out vps2day.com, alvotech.de and virtualmaster.com, mostly affordable and decent VPSes 06:01 < hiya> dazo, Do you know any in RO/NL/FI etc? That accept BTC too 06:01 < hiya> :) 06:01 < hiya> I need the ones with unmetered traffic 06:01 <@dazo> hiya: dunno ... that's for you to figure out ;-) 06:02 <@dazo> I know vps2day have a data center in RO 06:02 < hiya> ok 06:02 < hiya> let me check 06:02 <@dazo> There are many VPS providers which have data centers in NL ... don't recall exactly which ones now 06:04 < hiya> ok 06:04 < hiya> vps2day legit? 06:04 < hiya> us owned? 06:05 <@dazo> https://www.vps2day.com/imprint.html 06:08 < hiya> german owned 06:09 < hiya> ? 06:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:12 < hiya> dazo, bro tell me about it please 06:12 < hiya> VPS2day 06:13 <@dazo> hiya: come on ... do your own research 06:13 <@dazo> my word is of little use if you get in trouble anyway 06:14 < hiya> ok 06:14 < hiya> :) 06:16 < hiya> I think I would go for NL 06:16 < hiya> :) 06:17 < hiya> dazo, Can you just tell me if they are legit? and not runaway bride? 06:17 < hiya> :) 06:17 <@dazo> they are legit to my knowledge 06:19 < hiya> ok thanks 06:19 < hiya> buying NL 06:22 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 06:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:27 -!- toli [~toli@83.134.72.8] has joined #openvpn 06:31 -!- bazhang [~bazhang@unaffiliated/bazhang] has joined #openvpn 06:32 -!- genera [~genera@unaffiliated/genera] has joined #openvpn 06:32 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has joined #openvpn 06:32 < kojin> I've a big problem with OpenVPN 06:32 < kojin> my server firewall is all open, and I've disabled client windows firewall 06:33 < kojin> when I tray to connect I get 06:33 < kojin> Wed Jan 20 13:22:43 2016 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 06:33 < kojin> I've checked with tcpdump and the server receive the packet on port 1194 06:33 < kojin> Can someon help me please? 06:48 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 06:58 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 06:59 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 06:59 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 07:00 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 07:01 <@dazo> kojin: https://openvpn.net/archive/openvpn-users/2006-02/msg00141.html 07:01 <@vpnHelper> Title: Re: [Openvpn-users] (WSAECONNRESET) (code=10054) over UDP, packet dropped due to output saturation over TCP with TUN (at openvpn.net) 07:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 07:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:03 < kojin> dazo: i must change sndbuf and rcvbuf? 07:04 <@dazo> kojin: dunno ... just pointing you in a direction related to this issue ... see James' reply at the end of the mail 07:04 <@dazo> btw .... I've googled 'openvpn WSAECONNRESET' and get a lot of related hits 07:05 -!- bazhang [~bazhang@unaffiliated/bazhang] has left #openvpn ["Leaving"] 07:05 < kojin> dazo: yeah all about firewall rules 07:05 * dazo face palms ... and goes for food 07:10 < hiya> dazo, "MULTI: packet dropped due to output saturation message" 07:10 < hiya> I get this message a lot 07:11 < hiya> does it mean people are using tor? 07:13 < kojin> dazo: if i run it under TCP i get start c:\windows\system32\control.exe ncpa.cpl 07:14 < kojin> Wed Jan 20 14:11:27 2016 TCP: connect to [AF_INET]51.255.210.231:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive. 07:19 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 07:20 < kojin> restarted the server and I've solved -.-" 07:24 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 07:24 < hiya> kojin, you rock 07:27 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has quit [Ping timeout: 252 seconds] 07:36 -!- shneh [~kebvk@unaffiliated/shneh] has quit [Quit: shneh] 07:51 -!- dionysus70 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:51 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 07:51 -!- mode/#openvpn [+v s7r_] by ChanServ 07:51 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:52 -!- genera [~genera@unaffiliated/genera] has quit [Ping timeout: 248 seconds] 07:52 -!- D-HUND [~debdog@2a02:8070:4382:5600:7a24:afff:fe8a:d04d] has joined #openvpn 07:54 -!- linear_ [~L@unaffiliated/linear] has joined #openvpn 07:54 -!- illuminated_ [~illuminat@freebsd/user/illuminated] has joined #openvpn 07:57 -!- Whoopie_ [~Whoopie@unaffiliated/whoopie] has joined #openvpn 07:57 -!- Gizmokid2010 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 07:57 -!- CheckYourSix_ [~CheckYour@2604:a880:800:10::1e3:5001] has joined #openvpn 07:57 -!- mgorbach_ [~mgorbach@pool-100-0-240-30.bstnma.fios.verizon.net] has joined #openvpn 07:58 -!- WarDriver [~WarDriver@ec2-54-94-215-163.sa-east-1.compute.amazonaws.com] has joined #openvpn 07:58 -!- Netsplit *.net <-> *.split quits: JackWinter, walnuts, AlexRussia, linear, riddle, sarlalian, CheckYourSix, kloeri, yoavz, loeken, (+26 more, use /NETSPLIT to show all of them) 07:58 -!- CheckYourSix_ [~CheckYour@2604:a880:800:10::1e3:5001] has quit [Max SendQ exceeded] 07:58 -!- Whoopie_ is now known as Whoopie 07:58 -!- Gizmokid2010 is now known as Gizmokid2005 07:58 -!- dionysus70 is now known as dionysus69 07:58 -!- mgorbach_ is now known as mgorbach 07:58 -!- excalibr- [excalibr@unaffiliated/excalibr] has joined #openvpn 07:59 -!- Netsplit over, joins: zpatten 07:59 -!- Netsplit over, joins: CheckYourSix, varesa 07:59 -!- Netsplit over, joins: julieeharshaw 08:00 -!- Netsplit over, joins: luckman212 08:00 -!- MrPocketz [~John@unaffiliated/mrpockets] has joined #openvpn 08:00 -!- Netsplit over, joins: riddle 08:00 -!- MrPocketz [~John@unaffiliated/mrpockets] has quit [Max SendQ exceeded] 08:00 -!- Netsplit over, joins: mparisi 08:01 -!- uiyice [~uiywtf@69.143.201.7] has quit [Remote host closed the connection] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- crane [~crane@chat.craneworks.de] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:05 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:06 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 08:06 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:06 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 08:06 -!- sarlalian [~sarlalian@107.170.239.102] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds] 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:10 < hiya> hey people 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:15 -!- u0m3__ [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Quit: Leaving] 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:17 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 08:18 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 240 seconds] 08:19 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 08:24 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 08:25 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 08:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 08:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:59 < hiya> hi 09:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 265 seconds] 09:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:02 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 09:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 09:09 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 09:12 -!- IronY [~IronY@unaffiliated/irony] has joined #openvpn 09:16 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Ping timeout: 250 seconds] 09:16 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 09:27 -!- dvl [~dvl@freebsd/developer/dvl] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 09:32 -!- krzie [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 09:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 09:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:47 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 09:53 -!- FL1SK [~quassel@96-19-62-23.cpe.cableone.net] has joined #openvpn 09:57 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Quit: Out!] 09:58 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [] 10:04 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 10:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 10:06 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:07 -!- chamunks [chamunks@loki.entityreborn.com] has quit [Read error: Connection reset by peer] 10:07 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds] 10:08 -!- chamunks [chamunks@loki.entityreborn.com] has joined #openvpn 10:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 10:09 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 10:09 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 10:17 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn 10:21 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn 10:24 < Kniaz> hello guys. It has been a while since I looked into my openvpn server installation. I just noticed that my /etc/openvpn/easy-rsa/keys folder is empty. 10:24 < Kniaz> when I tried to generate a new client cert 10:24 < hiya> ok 10:25 < hiya> Kniaz, What did you do? 10:26 < Kniaz> hiya: have not really done anything with this vpn installation. I know I upgraded debian 7 to 8 a few months ago 10:26 < Kniaz> df -hT 10:26 < Kniaz> oops 10:28 < Kniaz> maybe the upgrade whiped out the keys folder? 10:28 < Kniaz> the config is unchanged though 10:28 < hiya> Kniaz, ok :) 10:28 < Kniaz> what? 10:28 < hiya> Kniaz, now redo it all then 10:29 < hiya> you are invited to my chan in case your need help with VPN installation 10:29 < Kniaz> which chan 10:30 < hiya> well I invited you 10:30 < hiya> but its ok 10:30 < hiya> :) 10:30 < hiya> you can talk here 10:30 < hiya> do it all again maybe? 10:30 < hiya> with Debian comes new OpenSSL library 10:30 < hiya> so use / enforce TLS 1.2 10:31 < hiya> tls-version-min 1.2 10:31 < hiya> tls-cipher TLS-DHE-RSA-AES-256-GCM-SHA384 10:31 < hiya> auth SHA512 10:31 < hiya> cipher AES-256-CBC 10:31 < hiya> :) 10:33 < Kniaz> is that the reason it got whiped though? 10:33 < DArqueBishop> Kniaz: it's possible. 10:33 < DArqueBishop> I'm guessing you don't have any backups? 10:33 < hiya> Kniaz, Ask in #debian 10:34 < hiya> Kniaz, Only they can confirm :) 10:37 < Kniaz> DArqueBishop: i have disk snapshots, but I don't think I want to revert to so long ago 10:38 < hiya> Kniaz, do it all again 10:38 < hiya> its not that hard :) 10:39 < DArqueBishop> Kniaz: a fair point. At this point, if you can't find where your keys are located (using locate), you're probably going to need to regenerate your CA and certs/keys. 10:40 < Kniaz> I asked in #debian, i doubt anyone will confirm that the upgrade deleted my ca cert and keys 10:41 < hiya> Kniaz, hehe then sue them or just get new certs and on bro, 10:41 < hiya> Kniaz, if you just need VPN, I host a community OVPN server, get access and enjoy 10:42 < DArqueBishop> My suggestion would be that when you generate the new CA and certs, you back them up using tar and then store them in a secure location (preferably not on the machine). 10:42 < Kniaz> yeah 10:42 < DArqueBishop> Then repeat the backup whenever you add certs/keys or make a major upgrade to the machine. 10:42 < Kniaz> let me generate new certs... 10:42 < Kniaz> need to remeber how to do this 10:44 < DArqueBishop> (Rather, BEFORE you make a major upgrade to the machine.) 10:44 < DArqueBishop> Kniaz, the HOWTO has easy steps. 10:44 < DArqueBishop> !howto 10:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 10:45 < hiya> I never backup 10:45 < hiya> all my certs expire every 45 days 10:45 < hiya> :) 10:45 < hiya> hehe 10:45 < hiya> including CA 10:46 < Kniaz> ./pkitool --initca ??? 10:46 < hiya> ./build-ca 10:46 < hiya> first edit it 10:46 < hiya> and set a --pass 10:46 < hiya> so that your root CA is passport protected 10:47 < hiya> I recommend it 10:48 < Kniaz> is something wrong with using ./pkitool --initca ? 10:48 < hiya> no 10:48 < hiya> :) 10:48 < hiya> Why not use the script that provide ease of use 10:48 < Kniaz> it ran and finished quick without asking me anything 10:52 < Kniaz> did not prompt me for a password 10:53 -!- lucad111 [~lucad111@81.128.185.50] has joined #openvpn 10:55 < lucad111> hi guys, can i run a openvpn server without setting aside a pool of addresses to be assigned? 10:55 < lucad111> i mean dinamically 10:56 < lucad111> so that i can just assign some predetermined ips 11:00 -!- ^CJ^ is now known as ^cj^ 11:01 -!- ade_ [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 11:04 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 255 seconds] 11:04 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 11:07 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 11:07 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 11:07 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 11:09 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Client Quit] 11:15 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 11:15 -!- varesa [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has quit [Quit: ZNC - http://znc.in] 11:24 -!- varesa [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has joined #openvpn 11:31 < Kniaz> where does openvpn server write the log in debian 8? 11:33 < hiya> Kniaz, set it in server.conf 11:33 < hiya> log-append vpn.log 11:34 < hiya> status stat.log 11:34 < hiya> then tail/cat it 11:34 < hiya> :) 11:34 < hiya> by default it is in syslog 11:34 < hiya> /var/log 11:38 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 11:38 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:08 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:15 -!- allizom1 [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 12:17 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn 12:18 -!- abra0_ [znc-admin@unaffiliated/abra0] has joined #openvpn 12:19 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 12:22 -!- hays [~quassel@unaffiliated/hays] has quit [Ping timeout: 244 seconds] 12:22 -!- n-st_ [~n-st@unaffiliated/n-st] has joined #openvpn 12:23 -!- wkts- [~wkts@45.55.231.187] has joined #openvpn 12:23 -!- Exagone314 [exa@elou.world] has joined #openvpn 12:23 -!- BrianBla- [~blaze@unaffiliated/brianblaze] has joined #openvpn 12:24 -!- Netsplit *.net <-> *.split quits: [Mew2], Neighbour, jesopo, Poster, marlinc, infernix, rich0, MrPockets, abra0, n-st, (+12 more, use /NETSPLIT to show all of them) 12:24 -!- abra0_ is now known as abra0 12:24 -!- wkts- is now known as wkts 12:24 -!- allizom1 is now known as allizom 12:24 -!- n-st_ is now known as n-st 12:24 -!- Netsplit over, joins: [Mew2] 12:24 -!- Netsplit over, joins: lbft 12:24 -!- marlinc_ [~marlinc@unaffiliated/marlinc] has joined #openvpn 12:25 -!- Exagone314 is now known as Exagone313 12:25 -!- Netsplit over, joins: Lehvyn 12:25 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 12:26 -!- Netsplit over, joins: Neighbour 12:26 -!- Netsplit over, joins: DzAirmaX 12:26 -!- marlinc_ is now known as marlinc 12:27 -!- Netsplit over, joins: jareth_ 12:28 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 12:29 -!- Tenhi [~tenhi@static.100.25.4.46.clients.your-server.de] has joined #openvpn 12:29 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has joined #openvpn 12:29 < Eugene> lucad111 - sure. See the man page's section on --server, taking note of how it expands to include ifconfig-pool. 12:30 -!- jesopo [jess@lolnerd.net] has joined #openvpn 12:30 < lucad111> Eugene: cool! thank you! 12:32 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has joined #openvpn 12:36 -!- infernix [nix@unaffiliated/infernix] has joined #openvpn 12:36 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-gpfqazxtwbswspjb] has quit [Quit: Connection closed for inactivity] 12:38 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 12:39 -!- lucad111 [~lucad111@81.128.185.50] has left #openvpn [] 12:39 -!- Zzyzx_ [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 12:40 -!- Netsplit over, joins: Tenhi, jareth_ 12:40 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 12:42 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 260 seconds] 12:45 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 12:50 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 12:51 -!- Netsplit over, joins: Tenhi, jareth_ 12:59 -!- excalibr- [excalibr@unaffiliated/excalibr] has quit [Changing host] 12:59 -!- excalibr- [excalibr@gateway/shell/firrre/x-pavdsxvmvckamxge] has joined #openvpn 13:01 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 13:02 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 13:07 -!- nitdega [~nitdega@2602:304:ab12:4401:ea57:e16c:d410:4e4c] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 13:15 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:16 -!- Tenhi [~tenhi@static.100.25.4.46.clients.your-server.de] has joined #openvpn 13:26 -!- nitdega [~nitdega@2602:304:ab12:ace1:40c4:a280:9841:dfd2] has joined #openvpn 13:32 -!- dazo is now known as dazo_afk 13:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds] 13:36 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 13:37 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 13:43 -!- Zzyzx_ [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 13:43 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 13:55 -!- s34n [~chatzilla@104.152.131.130] has left #openvpn [] 14:20 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn 14:28 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has joined #openvpn 14:31 -!- Netsplit *.net <-> *.split quits: jareth_ 14:31 < ciscam> Hi! Typical question: After hours of troubleshooting I don't know what to do next: I have an OpenVPN-AS vm running in my network. Clients can connect no problem with the server-generated config but can not access any ressources on the server network 14:32 < ciscam> the route is being pushed, I can ping the vpn servers virtual adapter in the vpn client subnet, which is properly pushed as the routes' gateway 14:32 < DArqueBishop> !as 14:32 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 14:33 < ciscam> Are you sure this is a openvpn-as specific problem? 14:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 14:42 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 14:42 -!- ustn [~ustn@p4FDB16E5.dip0.t-ipconnect.de] has joined #openvpn 14:45 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn 14:48 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds] 14:49 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn 14:53 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 14:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 14:55 -!- Netsplit *.net <-> *.split quits: jareth_ 14:56 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has quit [Ping timeout: 256 seconds] 14:56 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 15:09 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has joined #openvpn 15:45 -!- Sventek [~You@ip5f5ae17f.dynamic.kabel-deutschland.de] has joined #openvpn 15:45 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 15:45 < Sventek> !welcome 15:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:46 < Sventek> !goal 15:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:47 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has joined #openvpn 15:47 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has quit [Quit: Leaving] 15:50 -!- Netsplit over, joins: jareth_ 15:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:04 < Sventek> !howto for beginners 16:04 < Sventek> !howto 16:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:05 < Sventek> !route 16:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 16:05 <@vpnHelper> client 16:05 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 16:05 < Sventek> !topology 16:05 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 16:06 < Sventek> I have a vServer on virtuozzo, right now im installing Centos 7 with Plesk 12,5. TUN/TAP is activated. I would like to install openvpn and i want to know if i have to configure something on the interface. 16:10 < Sventek> Hello, anyone around? 16:12 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 260 seconds] 16:14 -!- mete [~mete@91.247.253.160] has joined #openvpn 16:16 < Sventek> !iporder 16:16 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 16:16 < Sventek> !static 16:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 16:17 < Sventek> !tunortap 16:17 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 16:17 <@vpnHelper> rooted/jailbroken) support only tun 16:18 < Sventek> !tun 16:18 < Sventek> !addressing 16:18 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing 16:19 < Sventek> !topology 16:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 16:23 -!- litewait [~litewait@ool-4571f90d.dyn.optonline.net] has joined #openvpn 16:23 -!- Cihan [uid140068@gateway/web/irccloud.com/x-lmstjmgvmxpadaxp] has quit [] 16:24 -!- CihanKaygusuz [uid140065@gateway/web/irccloud.com/x-koluwkdsdmuzraid] has quit [] 16:25 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 16:25 < litewait> Have Tunnelblick and Windows connecting fine with OpenVPN server, trying to use the same .ovpn with Ubuntu gets to: "Initialization Sequence Completed" but the routes that are pushed don't work. Is there anything different I need to do to get Linux to work? 16:25 < litewait> netstat -r does show the routes 16:28 < litewait> I set verb=5 and I am getting WrWrWrWrWrWrWrWrWrWrWrWrWrWWWrWWWW which I assume is ok. 16:31 -!- Sventek [~You@ip5f5ae17f.dynamic.kabel-deutschland.de] has quit [Changing host] 16:31 -!- Sventek [~You@unaffiliated/sventek] has joined #openvpn 16:32 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:38 -!- weox [uid112413@gateway/web/irccloud.com/x-lafodplxqgnwdaur] has joined #openvpn 16:50 -!- ustn [~ustn@p4FDB16E5.dip0.t-ipconnect.de] has quit [Quit: ustn] 16:51 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-djqgnmhphbxevgfg] has joined #openvpn 16:51 -!- Cihan [uid141333@gateway/web/irccloud.com/x-ekgtfjpurtdwhmjl] has joined #openvpn 16:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:59 -!- lkjahsdkfj [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 17:00 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Ping timeout: 265 seconds] 17:05 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 17:06 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 260 seconds] 17:06 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Ping timeout: 260 seconds] 17:06 -!- NP-Completeass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 260 seconds] 17:07 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 17:07 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 17:08 -!- NP-Completeass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 17:10 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 17:11 -!- mode/#openvpn [+o krzee] by ChanServ 17:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:13 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 17:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:15 -!- hiya [hiya@gateway/shell/panicbnc/x-zkleqbxfzvmcjvma] has quit [Ping timeout: 240 seconds] 17:16 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:18 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has joined #openvpn 17:23 -!- Sventek [~You@unaffiliated/sventek] has left #openvpn [] 17:26 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 17:42 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn 17:44 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 17:45 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 17:48 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:00 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 18:26 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 260 seconds] 18:30 -!- linear_ is now known as linear 18:32 -!- excalibr- is now known as excalibr 18:44 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 276 seconds] 18:47 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:49 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 19:29 -!- ShadniX_ [dagger@p5DDFD2F2.dip0.t-ipconnect.de] has joined #openvpn 19:31 -!- ShadniX [dagger@p5DDFD9E7.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 19:31 -!- ShadniX_ is now known as ShadniX 19:34 -!- ShadniX [dagger@p5DDFD2F2.dip0.t-ipconnect.de] has quit [Client Quit] 19:35 -!- arlen [~arlen@jarvis.arlen.io] has quit [Read error: Connection reset by peer] 19:37 -!- ShadniX [~ShadniX@p5DDFD2F2.dip0.t-ipconnect.de] has joined #openvpn 19:49 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 19:56 -!- arlen [~arlen@jarvis.arlen.io] has quit [Max SendQ exceeded] 20:00 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 20:01 -!- kaiza [~kaiza@172.98.67.31] has joined #openvpn 20:09 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 20:11 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Ping timeout: 265 seconds] 20:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:39 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 20:47 -!- arlen [~arlen@jarvis.arlen.io] has quit [Remote host closed the connection] 20:50 -!- toli [~toli@83.134.72.8] has quit [Ping timeout: 246 seconds] 20:54 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 20:55 -!- toli [~toli@ip-62-235-237-14.dsl.scarlet.be] has joined #openvpn 20:56 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 21:01 -!- Lehvyn [~Lehvyn@unaffiliated/lehvyn] has left #openvpn [] 21:02 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 21:05 -!- weox [uid112413@gateway/web/irccloud.com/x-lafodplxqgnwdaur] has quit [Quit: Connection closed for inactivity] 21:09 -!- MannyLNJ [~MannyLNJ-@2600:1002:b102:48f6:2c55:d748:941:992e] has joined #openvpn 21:13 -!- MannyLNJ [~MannyLNJ-@2600:1002:b102:48f6:2c55:d748:941:992e] has quit [Ping timeout: 250 seconds] 21:18 -!- tobinski___ [~tobinski@x2f5a094.dyn.telefonica.de] has joined #openvpn 21:21 -!- tobinski_ [~tobinski@x2f5835c.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:29 -!- MannyLNJ [~MannyLNJ-@ool-18b9957a.dyn.optonline.net] has joined #openvpn 21:29 < MannyLNJ> !goal 21:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:30 < MannyLNJ> I would like to access printers and a media server on my home network from the road. My home system is Ubuntu based and I have a Windows 10 laptop, a Ubuntu laptop, an iPhone and an Andoid phone along with Android Tablet. Any help appreciated because I've already fouled things up on my own 21:36 -!- weox [uid112413@gateway/web/irccloud.com/x-pwxzhfxnjtxcufgz] has joined #openvpn 21:42 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory 21:42 < MannyLNJ> but I did apt-get install openvpn 21:54 -!- AMERICAN_PSYCHO [~AMERICAN_@60.sub-70-196-0.myvzw.com] has joined #openvpn 22:00 -!- chachasmooth [~chachasmo@p5B125219.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 22:00 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory but I did apt-get install openvpn 22:01 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 22:04 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 22:15 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory but I did apt-get install openvpn 22:17 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 22:28 -!- roentgen [~roentgen@unaffiliated/roentgen] has quit [Quit: WeeChat 1.3] 22:28 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 22:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:34 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn 22:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 22:41 -!- AMERICAN_PSYCHO [~AMERICAN_@60.sub-70-196-0.myvzw.com] has quit [Read error: Connection reset by peer] 22:41 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 22:44 -!- MannyLNJ [~MannyLNJ-@ool-18b9957a.dyn.optonline.net] has quit [Ping timeout: 260 seconds] 22:59 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 23:10 -!- lkjahsdkfj is now known as uiyice 23:15 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 23:28 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 23:36 -!- ShadniX [~ShadniX@p5DDFD2F2.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:38 -!- ShadniX [dagger@p5DDFDFD4.dip0.t-ipconnect.de] has joined #openvpn 23:38 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 23:41 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has left #openvpn [] 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:43 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 23:49 < hiya> MULTI: bad source address from client [192.168.0.50], packet dropped 23:49 < hiya> I get this message a lot 23:56 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 264 seconds] --- Day changed Thu Jan 21 2016 00:20 -!- D-HUND is now known as debdog 00:22 -!- ayaz_ is now known as ayaz 00:25 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Client Quit] 00:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:41 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 01:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 01:12 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 01:13 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 01:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:35 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 01:38 -!- kaiza [~kaiza@172.98.67.31] has quit [Ping timeout: 250 seconds] 01:51 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has quit [Ping timeout: 265 seconds] 01:51 -!- kaiza [~kaiza@172.98.67.45] has joined #openvpn 02:01 -!- AlmogBaku [~AlmogBaku@37.26.146.232] has joined #openvpn 02:08 -!- AlmogBaku [~AlmogBaku@37.26.146.232] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:14 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-qeiklpflqreziszc] has quit [Excess Flood] 02:21 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 02:35 -!- ^cj^ is now known as ^CJ^ 02:40 -!- AlmogBaku [~AlmogBaku@37.26.146.160] has joined #openvpn 02:41 -!- AlmogBaku [~AlmogBaku@37.26.146.160] has quit [Client Quit] 02:54 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 03:01 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Read error: Connection reset by peer] 03:07 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:21 -!- MrPockets [~John@unaffiliated/mrpockets] has quit [Ping timeout: 250 seconds] 03:23 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:27 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 03:33 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:44 -!- dazo_afk is now known as dazo 03:53 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 03:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 04:07 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds] 04:12 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 264 seconds] 04:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 04:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 04:32 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:46 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 05:00 -!- r4co0n_ [~r4co0n@unaffiliated/r4co0n] has joined #openvpn 05:04 < r4co0n_> I want my OpenVPN clients to be able to use a separate IPSEC-tunnel established by the server. I therefore push a route to the IPSEC-tunnelled subnet to my clients. The IPSEC-network is reachable from the server and directly(non-VPN) connected clients. However, it is not from the VPN. 05:07 < r4co0n_> I think I need to masquerade the packets that come from VPN-Interface destined to the IPSEC-Tunnel, because "Remember that these private subnets will also need to know about the OpenVPN client address pool". 05:08 -!- r4co0n_ is now known as r4co0n 05:08 < r4co0n> How can I troubleshoot this? 05:11 < r4co0n> This is with OpenVPN 2.3.4 on Debian stable. I use the arnos-iptables-firewall script - I declared the VPN interface as internal interface that needs to be natted. 05:11 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:18 -!- r4co0n_ [~r4co0n@unaffiliated/r4co0n] has joined #openvpn 05:19 <@dazo> r4co0n: use tcpdump on each of the interfaces on the vpn servers, then you'll see which path packets go or don't go ... then check firewall and routing tables 05:19 -!- r4co0n [~r4co0n@unaffiliated/r4co0n] has quit [Ping timeout: 264 seconds] 05:19 <@dazo> r4co0n_: ^^ 05:20 <@dazo> only use masquerading as the last option ... using proper routing is harder in short term, but less trouble in long term 05:21 < r4co0n_> dazo: When I turned on verbosity for the OpenVPN Logs, I saw the (server) log come to live when initiating a ping from a vpn-connected client. 05:22 < r4co0n_> I couldn't tell a difference from the lines generated by a successful ping. 05:22 <@dazo> that will only tell you about traffic over the VPN tunnel ... tcpdump takes the network packets the OS kernel processes on each of your devices 05:22 < r4co0n_> I will also look at tcpdump 05:23 <@dazo> or rather, openvpn logs will only tell you about traffic over that particular openvpn tunnel ... nothing else. That is only useful to see if the openvpn client/server can talk to each other 05:23 < r4co0n_> so i go tcpdump -i source ? 05:24 <@dazo> I usually do: tcpdump -ni $interface 05:24 < r4co0n_> this will get messy as there are people sending data over this interface right now 05:24 < r4co0n_> i can postpone it to the night... 05:24 <@dazo> if I ssh over one of these tunnels ... you can do: tcpdump -ni $interface host ! $IPaddress .... or tcpdump -ni $interface port ! 22 05:25 <@dazo> if you just want to test with ping ... use: tcpdump -ni $interface icmp 05:25 <@dazo> tcpdump filters are incredibly flexible and effective 05:25 < r4co0n_> i discovered it for myself only weeks ago 05:25 < r4co0n_> I really like it 05:26 < r4co0n_> e.g., i used it to sniff the mac via bootp by simple plugging my laptop to various hw-phones (with broken display) 05:27 < r4co0n_> I'll test the icmp approach and will report back, thank you dazo. 05:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:01 -!- r4co0n_ is now known as r4co0n 06:09 < r4co0n> dazo, your approach helped a lot. 06:09 < r4co0n> the problem seems to be neither OpenVPN settings (already pushing the routes for the wanted subnets) nor firewall-related. 06:11 < r4co0n> I have to add another IPSEC phase 2 for my OpenVPN subnet . Currently only my "local" subnet is linked. 06:12 < r4co0n> Btw, OpenVPN does a great job! 06:18 -!- radonx [~radonx@server1.dutchunited.eu] has quit [Ping timeout: 265 seconds] 06:18 -!- Mazhive [~peter@telbo-200-6-150-250.cust.telbo.net] has quit [Remote host closed the connection] 06:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:42 -!- imrekt [isReKT2000@gateway/shell/layerbnc/x-jxxpzyapqfkdwzde] has quit [Remote host closed the connection] 06:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:59 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:00 -!- nitdega [~nitdega@2602:304:ab12:ace1:40c4:a280:9841:dfd2] has quit [Ping timeout: 264 seconds] 07:01 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:38 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 07:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 07:53 -!- r4co0n [~r4co0n@unaffiliated/r4co0n] has quit [Ping timeout: 272 seconds] 07:57 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:58 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:07 -!- BrianBla- [~blaze@unaffiliated/brianblaze] has quit [Quit: Goodbye beautiful people! (ʎɐpʎɹəʌə pəəʍ əʞoɯs)] 08:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 08:15 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:17 -!- mxtm [~mxtm@wardi.mxtm.me] has joined #openvpn 08:17 < mxtm> !ovpnuke 08:17 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 08:19 < hiya> mxtm, sup? 08:21 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 08:21 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Quit: nemysis] 08:21 < mxtm> just poking around, i've been having some issues which i might bring up in here if i can't fix 08:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:25 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:28 < hiya> mxtm, What kinda issueS? where is your server hosted? 08:29 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 08:32 -!- esde [~something@openvpn/user/esde] has joined #openvpn 08:32 -!- mode/#openvpn [+v esde] by ChanServ 08:33 -!- dhcpfreely [~dhcp_free@ec2-52-33-220-248.us-west-2.compute.amazonaws.com] has quit [K-Lined] 08:34 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:44 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:51 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 276 seconds] 09:05 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:08 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 09:09 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:18 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has joined #openvpn 09:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:21 < bMalum> Hi 😊 I have to use a OpenVPN to access a Server, but when i connect to the VPN all traffic is routed through the VPN. But i only want to access the hosts from 192.168.255.100 to 192.168.255.200 ... how can i achieve this on the client side? Is it possible on the client side? 09:26 < DArqueBishop> bMalum: 09:26 < DArqueBishop> !route-nopull 09:26 <@vpnHelper> "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes 09:27 < DArqueBishop> Although, on mature reflection, that may not help you. 09:27 < DArqueBishop> Oh! 09:28 < DArqueBishop> !redirect_ignore 09:28 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 09:29 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 09:29 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has quit [Read error: Connection reset by peer] 09:32 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has quit [Ping timeout: 260 seconds] 09:34 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has joined #openvpn 09:35 < bMalum> DArqueBishop - sorry got an disconnect again - so i can add redirect_ignore to the *.openvpn File an everything is okay? 09:37 < DArqueBishop> bMalum: unfortunately, no. It's not quite that easy. 09:37 < DArqueBishop> !redirect_ignore 09:37 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 09:38 < DArqueBishop> You should read the link in that factoid. 09:40 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:52 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:57 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 10:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:20 -!- Hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 10:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:30 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:47 -!- e1z0 [u571@netlinux/founder/e1z0] has joined #openvpn 10:53 -!- ^CJ^ is now known as ^cj^ 11:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:15 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has joined #openvpn 11:16 < dougquaid> I'm connected to the telnet management interface but it is not responding to my commands. I type in "status" (without the quotes) and press enter, but it doesn't return anything. I don't see any errors in my server log either. Any ideas what makes this happen? 11:17 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:20 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 11:20 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Client Quit] 11:29 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds] 11:30 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn 11:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 11:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:44 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 11:46 -!- zopsi [~zopsi@2a01:4f8:201:94e5::2] has joined #openvpn 11:46 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 11:48 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 11:48 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 11:48 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 11:49 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 11:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 12:00 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 12:01 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 12:13 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:18 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:27 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Quit: Quit] 12:28 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 12:31 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Client Quit] 12:32 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:32 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 12:37 < hiya> chachasmooth, cool name 12:37 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Quit: leaving] 12:37 < chachasmooth> hiya :) 12:41 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 12:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:53 -!- hays [~quassel@unaffiliated/hays] has joined #openvpn 12:56 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Ping timeout: 265 seconds] 12:58 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:58 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 12:59 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 13:05 -!- weox [uid112413@gateway/web/irccloud.com/x-pwxzhfxnjtxcufgz] has quit [Quit: Connection closed for inactivity] 13:05 -!- wallbroken [wallbroken@gateway/shell/bnc4free/x-qmocbcxmtwcafjsn] has joined #openvpn 13:05 < wallbroken> hi 13:05 < wallbroken> is there somebody of you who uses openvpn connect on ios? 13:07 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 13:47 -!- dazo is now known as dazo_afk 13:52 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 13:52 < Kniaz> hi guys. where can I find rpm for this error message? Dependent module /usr/lib/libcrypto.a(libcrypto.so.1.0.1) could not be loaded 13:53 < Kniaz> for AIX 7.1 14:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:43 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 14:52 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has joined #openvpn 15:13 < DArqueBishop> wallbroken: I use it on a semi-regular basis. 15:13 < wallbroken> DArqueBishop, on ios 9? 15:13 < DArqueBishop> Yes. 15:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 256 seconds] 15:37 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 15:51 < wallbroken> DArqueBishop, please, try to connect from settings.app 15:51 < wallbroken> it works? 15:52 < DArqueBishop> Yes. 15:54 < wallbroken> it gets connected? 15:54 < DArqueBishop> Yes. 15:55 < wallbroken> can you tell me the server which you use? 15:55 < wallbroken> it's private? 15:55 < DArqueBishop> It connects to my own OpenVPN server. 15:56 < wallbroken> throught openvpn connect app? 15:56 < DArqueBishop> Yes. 15:56 < wallbroken> 2016-01-21 18:00:56 TCP recv EOF 15:56 < wallbroken> 2016-01-21 18:00:56 Transport Error: Transport error on 'it.tunnelbear-ios.com: NETWORK_EOF_ERROR 15:56 < wallbroken> 2016-01-21 18:00:56 EVENT: TRANSPORT_ERROR Transport error on 'it.tunnelbear-ios.com: NETWORK_EOF_ERROR [ERR] 15:56 < wallbroken> in my case if i try to connect trought settings.app. i get that error 15:57 < wallbroken> but if i directly open openvpn connect app and connect to, it works 15:57 < DArqueBishop> ... then just connect using the OpenVPN Connect app? 15:57 < wallbroken> ... 15:57 < DArqueBishop> That's what I do. I had never used the toggle in Settings until you asked me if it worked. 15:58 < wallbroken> i'm trying to figure out why it does not work 15:58 < wallbroken> you use user and password login? 15:58 < DArqueBishop> Nope, just certs. 15:59 < wallbroken> maybe that's why it does not work 15:59 < wallbroken> is there a way to put user and pass diretly in the configuration file? 15:59 < DArqueBishop> Probably. I don't need user/pass authentication simply because I'm the only one who actually connects to the VPN server. 16:04 < DArqueBishop> wallbroken: so, a Google search might have saved you some questioning. 16:04 < DArqueBishop> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 16:04 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net) 16:07 < wallbroken> DArqueBishop, thank you very much 16:07 < wallbroken> that's what i was looking for 16:08 < wallbroken> now, the next question is: how to create the autologin profile? 16:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds] 16:41 -!- Ajayhelp [~relaxhelp@206.248.138.246] has joined #openvpn 16:41 < Ajayhelp> Hi 16:42 < Ajayhelp> I am having trouble with license keys not showing on my account 16:43 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has left #openvpn [] 16:50 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 16:56 -!- Ajayhelp [~relaxhelp@206.248.138.246] has quit [Quit: HydraIRC -> http://www.hydrairc.com <-] 17:01 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 17:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- zerobaud [4df2707e@gateway/web/freenode/ip.77.242.112.126] has joined #openvpn 17:22 < zerobaud> I established a vpn connection to my vpn server, the vpn server pushes a default gw so all traffic gets routed trough the vpn. The traffic enters tun0 and exits it on wlp3s0 (my wireless interface), the packets get a response, but the traffic never gets forwarded back... So there are no ICMP replys... 17:22 < zerobaud> I enabled sysctl net.ipv4.conf.all.forwarding 17:23 < zerobaud> does anybody knows how to troubleshoot this? 17:25 < zerobaud> actually I am not sure if there are ping responses coming into the box, it mights be ACK's.. 17:25 < zerobaud> any way to strip the SSL on wireshark? I have the priv key afcourse... 17:51 -!- weox [uid112413@gateway/web/irccloud.com/x-ybgdgmvwsblznxjk] has joined #openvpn 17:56 < illuminated_> zerobaud, is the vpn server also the gateway for the network? 18:19 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Quit: ZNC - http://znc.in] 18:21 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn 18:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 18:57 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:58 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 265 seconds] 19:00 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 245 seconds] 19:01 -!- AlmogBak_ is now known as ALmogBaku 19:01 -!- ALmogBaku is now known as AlmogBaku 19:04 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn 19:14 < zerobaud> illuminated_: I forgot to source NAT on the VPN server... its fixed now 19:14 < zerobaud> I was under the assumption openvpn would create the rules itself 19:30 -!- e1z0 [u571@netlinux/founder/e1z0] has quit [Ping timeout: 250 seconds] 19:56 -!- Hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 20:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 20:26 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:31 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 20:36 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Client Quit] 21:04 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:12 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: You must come with me, young ones; for I am the Grim Reaper.] 21:17 -!- tobinski_ [~tobinski@x2f59970.dyn.telefonica.de] has joined #openvpn 21:21 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 21:21 -!- tobinski___ [~tobinski@x2f5a094.dyn.telefonica.de] has quit [Ping timeout: 276 seconds] 21:24 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Read error: Connection reset by peer] 21:26 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 21:37 -!- r00t^2 is now known as dad 21:37 -!- dad is now known as r00t^2 21:37 -!- r00t^2 is now known as dad 21:38 -!- dad is now known as r00t^2 21:47 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds] 21:52 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:53 < hiya> hi 21:54 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Client Quit] 21:57 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 22:00 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Remote host closed the connection] 22:34 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 22:57 -!- mducharme3 [~mducharme@S01060018e7d0ef5e.vc.shawcable.net] has joined #openvpn 22:57 < mducharme3> !welcome 22:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 22:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:58 < mducharme3> I am getting the error: daemon.err openvpn(myvpn)[1503]: TCP: connect to [AF_INET]MYIPADDRESS:443 failed, will try again in 5 seconds: Connection timed out 22:59 < mducharme3> (I replaced the ip address of the openvpn server with "myipaddress" on purpose when I pasted) 23:01 < mducharme3> I've tried other clients to connect to the same server and they don't work either 23:04 < mducharme3> it's like I don't have connectivity, but I can connect to other ports on the same server 23:22 -!- mducharme3 [~mducharme@S01060018e7d0ef5e.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 23:32 -!- themayor [~themayor@unaffiliated/themayor] has quit [Ping timeout: 272 seconds] 23:35 -!- ShadniX [dagger@p5DDFDFD4.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:36 -!- ShadniX [dagger@p5DDFD7AB.dip0.t-ipconnect.de] has joined #openvpn 23:39 -!- themayor [~themayor@unaffiliated/themayor] has joined #openvpn --- Day changed Fri Jan 22 2016 00:01 -!- zerobaud [4df2707e@gateway/web/freenode/ip.77.242.112.126] has quit [Quit: Page closed] 00:04 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn 00:46 -!- darxun [darxun@crew.of.the.worldwide.famous.micros0ft.dk] has joined #openvpn 00:57 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:50 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 02:29 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 02:38 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has quit [Quit: ZNC - http://znc.in] 02:45 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 256 seconds] 02:47 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 240 seconds] 02:48 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 02:48 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 03:01 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Quit: “If we don't believe in freedom of expression for people we despise, we don't believe in it at all — Noam Chomsky”] 03:02 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:02 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 03:14 -!- Denial- [~Denial@81.141.23.242] has joined #openvpn 03:15 -!- Denial [~Denial@81.141.23.242] has quit [Ping timeout: 265 seconds] 03:20 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:29 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 03:35 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 240 seconds] 03:38 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 03:38 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Read error: Connection reset by peer] 03:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:04 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 256 seconds] 04:10 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 04:15 -!- adac [~adac@nat015-WLSU2.uibk.ac.at] has joined #openvpn 04:15 < adac> Hi! Is there an official docker image for openvpn? 04:19 -!- ^cj^ is now known as ^CJ^ 04:40 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 04:45 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:46 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:48 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 05:13 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection] 05:19 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 05:19 < Bluez_> hi guys 05:20 < Bluez_> if i use the openvpn client on ios to connect to a openvpn server, would that server be able to ping the LOCAL subnet the ios device is on? 05:20 < Bluez_> it seems by default (the clasic ipsec/l2tp clients built in) ios won’t route between it’s interfaces 05:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:26 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 05:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:38 -!- ^CJ^ is now known as ^cj^ 05:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 05:49 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 05:50 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 05:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:07 -!- wallbroken [wallbroken@gateway/shell/bnc4free/x-qmocbcxmtwcafjsn] has left #openvpn [] 06:15 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 06:24 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 06:42 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 06:50 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 06:52 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:57 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 07:02 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has quit [Ping timeout: 260 seconds] 07:10 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: ciao] 07:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:16 -!- ^cj^ is now known as ^CJ^ 07:31 -!- Hadi1 [~Instantbi@31.59.14.232] has joined #openvpn 07:33 -!- Hadi [~Instantbi@31.59.14.232] has quit [Ping timeout: 240 seconds] 07:33 -!- Hadi1 is now known as Hadi 07:33 -!- Hadi is now known as hadi 07:37 -!- Denial- [~Denial@81.141.23.242] has quit [Ping timeout: 240 seconds] 07:38 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 240 seconds] 07:38 -!- Denial [~Denial@5.80.235.183] has joined #openvpn 07:45 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 08:09 -!- Bogdar [~bogdan@93.85.92.98] has joined #openvpn 08:09 < Bogdar> Hi! Does OpenVPN or some derived product support 'state sharing' feature for high-availability setup? 08:10 -!- adac [~adac@nat015-WLSU2.uibk.ac.at] has quit [Ping timeout: 265 seconds] 08:10 < Bogdar> I home conntrackd allow me to keep TCP connection in Linux, bu I would like to preserve VPN tunnel state too. 08:14 -!- dazo_afk is now known as dazo 08:28 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 244 seconds] 08:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 276 seconds] 08:30 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:34 -!- Bluez__ [~Bluez@213.205.194.43] has joined #openvpn 08:35 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Ping timeout: 245 seconds] 08:35 -!- Bluez__ is now known as Bluez_ 08:40 -!- Bluez_ [~Bluez@213.205.194.43] has quit [Read error: Connection reset by peer] 08:42 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 08:45 < DArqueBishop> Bluez_: I'm pretty sure the answer to your answer is no. 08:45 < Bluez_> yeah i tried it and it didn’t work 08:45 < DArqueBishop> Er, answer to your question. 08:46 < Bluez_> i think all the vpn’s use the vpn core api’s ios provides 08:46 < Bluez_> to route between interfaces the app would have to do it by itself since a non root user can’t setup routes on ios 08:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:48 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 08:53 < hiya> hi 08:54 -!- toli [~toli@ip-62-235-237-14.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 08:59 -!- rich0_ is now known as rich0 09:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:15 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.3] 09:16 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has joined #openvpn 09:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:17 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn 09:18 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:34 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 09:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 10:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:30 -!- kojin [~lbiosa@unaffiliated/kojin] has joined #openvpn 10:30 < kojin> hi all 10:31 < kojin> I've a problem with openvpn in rhel 10:31 < kojin> systemd[1]: PID file /var/run/openvpn/server.pid not readable (yet?) after start. 10:31 < kojin> can someone help me please? 10:36 -!- kojin [~lbiosa@unaffiliated/kojin] has quit [Quit: leaving] 11:08 -!- kaiza [~kaiza@172.98.67.45] has quit [Quit: Leaving] 11:12 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 11:14 -!- le0 [~le0@unaffiliated/le0] has quit [Client Quit] 11:15 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:22 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 11:24 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 11:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 11:42 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Quit: Leaving] 11:57 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 12:00 <@ecrist> he waited all of 5 minutes 12:03 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 12:05 < hiya> heh 12:05 < hiya> Hello ecrist 12:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:05 -!- penguinguru [~penguingu@120.146.12.20] has quit [Quit: Cya!] 12:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 12:14 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 12:24 <@ecrist> hi, hiya 12:38 < hiya> Can we limit the total bandwidth to be used by OpenVPN server? 12:38 < hiya> not individual clients? 12:55 < hays> I am getting complaints about excessive packets per second from my ISP. would switching to TCP help this? 13:05 -!- marcoslater [marcoslate@freenode/sponsor/halothe23] has joined #openvpn 13:06 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 13:06 < defsdoor> wtf ? 13:07 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 13:07 < marcoslater> Apologies for barging in, I'm curious, has anyone got dual-stack v4/v6 OpenVPN connect working on iPhone's before? 13:08 <@dazo> marcoslater: I'd try to also ask that on #openvpn-as ... 13:08 <@dazo> !as 13:08 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:08 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 13:08 <@dazo> marcoslater: but some might have experience here in this channel too 13:08 < marcoslater> Without any dual-stack conf, it works fine with v4 traffic all being sent trough, however when v6 is also enabled, v6 traffic gets forwarded fine, however v4 doesnt at all and uses the local network instead. 13:08 * dazo does not 13:09 < marcoslater> Ah, let me fwd this question in there too. :) 13:09 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 13:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:20 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 13:26 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 13:33 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 13:34 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Client Quit] 13:38 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 13:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:47 -!- moviuro [~moviuro@ns3007255.ip-151-80-43.eu] has quit [Quit: Reboot? Or did my jail(8) just die?] 13:48 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 13:59 -!- moviuro [~moviuro@ns3007255.ip-151-80-43.eu] has joined #openvpn 14:25 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has joined #openvpn 14:27 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 272 seconds] 14:28 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 14:31 -!- dasmkjhdksa [~dd62@43.225.199.66] has joined #openvpn 14:31 < dasmkjhdksa> !welcome 14:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:31 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:31 < dasmkjhdksa> !goal 14:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:32 < dasmkjhdksa> !howto 14:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:36 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has joined #openvpn 14:37 < dasmkjhdksa> !goal i would like to route my tun0 to tun1 14:37 < dasmkjhdksa> hmm 14:38 < dasmkjhdksa> I have 2 vpn servers and i would like the clinet -> vpn1 -> vpn2 how can i route all my tun0 traffic via tun1 14:39 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has quit [Ping timeout: 264 seconds] 14:40 -!- macpablo [~praffo@pool-108-56-140-253.washdc.fios.verizon.net] has joined #openvpn 14:43 -!- macpablo_ [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has joined #openvpn 14:44 < dasmkjhdksa> !route 14:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 14:44 <@vpnHelper> client 14:44 < dasmkjhdksa> !tcpip 14:44 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 14:45 -!- macpablo [~praffo@pool-108-56-140-253.washdc.fios.verizon.net] has quit [Ping timeout: 272 seconds] 14:45 -!- macpablo_ is now known as macpablo 14:50 < Poster> You wish to connect to a VPN server by way of a VPN server? 14:51 < dasmkjhdksa> I setup a vpn_relay, client can connect to vpn_relayserver no problem works great vpn_relay have client.conf of himself who is connecting vpn_server that works great too 14:51 < dasmkjhdksa> what i am trying to achive is client->vpn_relay->vpnserver 14:52 < dasmkjhdksa> on vpn_relay i have both server.conf and client.conf and both starting without any problem 14:52 < dasmkjhdksa> tun0 and tun1 14:52 < dasmkjhdksa> basically what i am trying to do is route all tun0 via tun1 15:02 < Poster> If this is a Linux system, you may consider iproute2 and create a separate routing table to pivot through tun devices 15:02 < dasmkjhdksa> thats exactly my question 15:02 < dasmkjhdksa> how to do it 15:02 < dasmkjhdksa> and yes we talking about centos 6.5 15:04 < Poster> I'd probably start here: http://www.lartc.org/howto/lartc.rpdb.html 15:04 <@vpnHelper> Title: Rules - routing policy database (at www.lartc.org) 15:04 < Poster> do you need to have separate authentication on your pivot host? 15:04 < dasmkjhdksa> doesnt really matter to me 15:05 < Poster> it would probably be significantly easier to use netfilter to forward a given VPN port number to the vpn2 system 15:05 < dasmkjhdksa> all i really want is to connect my client to use vpnserver via vpn_relay a.k.a double vpn 15:05 < Poster> though that wouldn't be double per se, it would just put a hop in between 15:06 < dasmkjhdksa> hmm also an option but i prefer greater security by doubling my vpn 15:06 < Poster> ok so doubling your VPN, are you talking about encrypting twice? 15:08 < dasmkjhdksa> sure why not 15:08 < dasmkjhdksa> right now i have client to vpn1 works 15:08 < dasmkjhdksa> vpn1 to vpn 2 15:08 < dasmkjhdksa> works 15:08 < dasmkjhdksa> i have tun0 with 10.8.0.0/24 15:09 < dasmkjhdksa> and tun1 with 10.8.1.0/24 15:09 < dasmkjhdksa> all i really want is routing tun0 to come out via tun1 15:09 < Poster> well yeah but both of those rely upon some type of tunnel to carry each 15:10 < Poster> if you double encrypt, everything leaving tun1 will already be encrypted and will be encrypted again 15:10 < dasmkjhdksa> is it possible? 15:10 < Poster> sure, though you're going to really start to feel the performance 15:11 < Poster> each time you encrypt you shrink the size of payload you can carry as well as create a longer "chain" for your data to flow 15:11 < dasmkjhdksa> i tried route route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.6 15:11 < dasmkjhdksa> but didnt really helped 15:11 < dasmkjhdksa> i tried also iptables 15:11 < dasmkjhdksa> with snat 15:11 < dasmkjhdksa> same result 15:11 < dasmkjhdksa> client connect 15:11 < dasmkjhdksa> but have no inet access 15:12 < Poster> ok so your options there are to setup the 10.8.1.0 system with a route back to 10.8.0.0 via whatever IP is on tun1 OR perform masquerading/snat on traffic leaving tun1 15:12 < dasmkjhdksa> you have an example commands? 15:12 < Poster> /sbin/route add -net 10.8.0.0/24 gw 10.8.1.? 15:13 < dasmkjhdksa> tried 15:13 < dasmkjhdksa> didnt work 15:13 < dasmkjhdksa> : 15:13 < dasmkjhdksa> :/ 15:13 < Poster> what is the IP address on the intermediate host's tun0 interface? 15:14 < dasmkjhdksa> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 15:14 < dasmkjhdksa> inet addr:10.8.1.1 P-t-P:10.8.1.1 Mask:255.255.255.0 15:14 < dasmkjhdksa> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 15:14 < dasmkjhdksa> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 15:14 < dasmkjhdksa> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 15:14 < dasmkjhdksa> collisions:0 txqueuelen:100 15:14 < dasmkjhdksa> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 15:14 < dasmkjhdksa> tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 15:14 < dasmkjhdksa> inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 15:14 < dasmkjhdksa> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 15:14 < dasmkjhdksa> RX packets:10 errors:0 dropped:0 overruns:0 frame:0 15:14 < dasmkjhdksa> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 15:14 < dasmkjhdksa> collisions:0 txqueuelen:100 15:14 < dasmkjhdksa> RX bytes:840 (840.0 b) TX bytes:504 (504.0 b) 15:14 < Poster> ok please use pastebin next time 15:15 < dasmkjhdksa> ah sorry 15:15 < Poster> your VPN client is coming in on tun0? The VPN server is connecting out somewhere else via tun1? 15:15 < dasmkjhdksa> correct 15:15 < Poster> ok so the other side of tun1 will need a route to 10.8.1.0/24 via 10.8.0.6 15:16 < Poster> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:16 < Poster> once that is in place, try pinging 10.8.1.1 from the other side of tun1 15:16 < dasmkjhdksa> sec, let me be sure i understand you correctly 15:16 < dasmkjhdksa> i have client i have vpn1(aka vpnrelay) and i have vpn2(aka vpnserver) 15:17 < dasmkjhdksa> on vpn1 i need to put /sbin/route add -net 10.8.0.0/24 gw 10.8.1.6 15:17 < dasmkjhdksa> correct? 15:17 < Poster> ok so the system connecting to vpn1 does need a route to 10.8.0.0/24 by way of 10.8.1.6 or whatever comes in tun0 15:18 < Poster> likewise the vpn2 system needs a route to 10.8.1.0/24 by way of the 10.8.0.6 or whatever comes in from tun1 15:18 < dasmkjhdksa> vpn2 routing 10.8.0.0/24 to eth0 15:18 < dasmkjhdksa> which is ok 15:19 < Poster> ok but remember the vpn2 system needs to know how to get back to 10.8.1.0 15:19 < Poster> regardless of what other routes may exist 15:19 < dasmkjhdksa> i see 15:19 < dasmkjhdksa> so how i do that 15:19 < dasmkjhdksa> ? 15:19 < Poster> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:20 < Poster> or whatever is assigned to tun1 on the vpn relay 15:20 < dasmkjhdksa> sec 15:20 < dasmkjhdksa> 10.8.1.0 10.8.0.6 255.255.255.0 UG 0 0 0 tun1 15:20 < dasmkjhdksa> ok? 15:20 < dasmkjhdksa> now on vpn2 15:20 < dasmkjhdksa> what command to give 15:20 < dasmkjhdksa> ? 15:21 -!- dazo is now known as dazo_afk 15:21 < Poster> that route should be added to vpn2 15:21 < dasmkjhdksa> vpn2 dont have tun1 15:21 < dasmkjhdksa> he only have tun0 15:22 < dasmkjhdksa> which is 10.8.0.0/24 15:22 < dasmkjhdksa> 1 sec 15:22 < dasmkjhdksa> let me make you a pastebin 15:22 < dasmkjhdksa> and you can see 15:22 < dasmkjhdksa> what i am talking about 15:25 < macpablo> Hi I’m trying to set up a vpn and I cannot get them to connect. This is the log from the server in verb 6 http://pastebin.com/eH4DXZ3f 15:27 < Poster> macpablo: I can't say for sure, but your mtu definition of 1500 is probably not going to work due to the overhead of a VPN link 15:27 < Poster> I would start out by commenting out the "link-mtu" line 15:32 < dasmkjhdksa> http://pastebin.com/We7Ucq3x 15:32 < dasmkjhdksa> that the outputs of all my configs 15:34 < dasmkjhdksa> so basically client -> vpn1 gets eth0 vpn1 no problem 15:34 < dasmkjhdksa> vpn1 -> vpn2 gets eth0 of vpn2 no problem 15:34 < dasmkjhdksa> what am i doing wrong? 15:34 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 15:36 < Poster> does vpn1 have a route to 151.x.x.x? 15:36 < dasmkjhdksa> tun0 is the route 15:37 < dasmkjhdksa> he connect as a client to 151 15:37 < dasmkjhdksa> his ip is 10.8.0.6 and 151 is 10.8.0.1 15:37 < dasmkjhdksa> i can ping 15:37 < dasmkjhdksa> no problem 15:37 < Poster> yeah I see the public addresses being used 15:37 < Poster> but if you're pinging 151.x.x.x from vpn1, it's across the Internet, not within the VPN link 15:38 < dasmkjhdksa> correct 15:38 < Poster> in any event, on vpn2/151.x.x.x, try adding this: 15:38 < Poster> /sbin/route add 10.8.1.0/24 gw 10.8.0.6 15:39 < Poster> from vpn2/151.x.x.x then try ping -c4 10.8.1.1 15:39 < dasmkjhdksa> u mean 15:39 < dasmkjhdksa> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:39 < dasmkjhdksa> ? 15:39 < Poster> yeah 15:39 < dasmkjhdksa> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:39 < dasmkjhdksa> SIOCADDRT: Network is unreachable 15:40 < dasmkjhdksa> 151 dont know 15:40 < dasmkjhdksa> what is 10.8.1.0 15:40 < dasmkjhdksa> 151 = vpn2 15:40 < macpablo> Poster: the link-mtu didn’t work, its detecting the mtu and assigning a smaller one for the tunnel already. I tried setting it lower but didn’t help 15:40 < Poster> vpn2 has to know how to get back to the range on tun0 of vpn1 15:40 < Poster> if you don't want to do that, you should be able to use iptables 15:41 < dasmkjhdksa> hmm 15:41 < dasmkjhdksa> i am not fully understand how is that even possible 15:41 < dasmkjhdksa> i have a client connecting to 43.X.X.X 15:41 < dasmkjhdksa> 43 is my relay 15:41 < Poster> macpablo: I have had a similar issue, the result was a partially braindead implementation of connection tracking, portions of the UDP frames would make it, but eh handshake would never complete. You can try changing UDP ports or consider changing the link to be TCP based which is less prone to connection tracking issues. 15:42 < dasmkjhdksa> 43 can is acting as server for client and assigning him 10.8.1.0 subnet 15:42 < dasmkjhdksa> 43 is also a client of 151 which is vpn2 15:42 < dasmkjhdksa> with subnet address of 10.8.0.0 15:42 < Poster> ok so let's back up, what is it you want to send to vpn2 by way of the vpn1 client? 15:43 < dasmkjhdksa> i just want my client to be able to connect to vpn1 but routing everything via vpn2 15:43 < dasmkjhdksa> so when he access whatismyip 15:43 < dasmkjhdksa> he gets vpn2 ip 15:43 < dasmkjhdksa> like i said 15:43 < dasmkjhdksa> i want to do double vpn 15:44 < dasmkjhdksa> vpn who connect to vpn 15:44 < Poster> ok so keep in mind that "routing everything" means that vpn1's default gateway is vpn2, in doing so connections to vpn1 directly will stop working unless you setup iproute2 15:44 < dasmkjhdksa> how i setup iproute2 15:44 < dasmkjhdksa> :/ 15:44 < dasmkjhdksa> i dont want routing everything 15:44 < dasmkjhdksa> i want to route only the client subnet 15:44 < dasmkjhdksa> which is 10.8.1 15:45 < dasmkjhdksa> and i want it routed to 10.8.0 15:45 < dasmkjhdksa> so he can use the vpn2 ip 15:45 < Poster> you should probably just focus on iproute2 for now 15:45 < dasmkjhdksa> let me read alil about it 15:45 < dasmkjhdksa> and see 15:45 < dasmkjhdksa> what can be done 15:45 < dasmkjhdksa> i mean 15:45 < Poster> until you have an undersanding of it's setup, I don't think you're going to have much luck 15:46 < dasmkjhdksa> i dont understand 15:46 < dasmkjhdksa> it should be a simple matter:/ 15:46 < dasmkjhdksa> am i trying to invent a new wheel? 15:46 < dasmkjhdksa> vpn inside of vpn 15:47 < dasmkjhdksa> some vpn service offer it 15:54 < Poster> it's not an easy concept to understand or setup, while I understand your goal, I also understand there are some building blocks you need to become familiar with before you can get there 15:55 < dasmkjhdksa> i feel like i am at the end of the road and just missing the last piece of the puzzel 15:55 < dasmkjhdksa> like 15:55 < dasmkjhdksa> client connect to vpn1 15:55 < dasmkjhdksa> no problem 15:55 < dasmkjhdksa> vpn 1 connect to vpn2 15:55 < dasmkjhdksa> again no problem 15:55 < Poster> yeah it's iproute2 15:55 < dasmkjhdksa> vpn1 see both client and vpn2 15:56 < dasmkjhdksa> i just want all 10.8.1.0/24 to be routed to 10.8.0.6 15:56 < dasmkjhdksa> but when i put the route rule 15:56 < dasmkjhdksa> its not working 15:56 < dasmkjhdksa> maybe config problems 15:56 < dasmkjhdksa> maybe iptables problems 15:56 < dasmkjhdksa> that what i am here to try figure out 16:32 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has joined #openvpn 17:06 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 17:07 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:18 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 17:19 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:24 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has quit [Quit: macpablo] 17:45 -!- ^CJ^ is now known as ^cj^ 17:48 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:48 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:52 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has joined #openvpn 18:14 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has quit [Ping timeout: 250 seconds] 18:37 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 18:40 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has quit [Ping timeout: 240 seconds] 19:05 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:13 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:22 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:23 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:34 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 19:38 -!- imrekt [isReKT2000@gateway/shell/layerbnc/x-uwthmvhmdbryiljv] has joined #openvpn 19:38 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:38 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:40 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 19:40 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:41 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 19:43 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:44 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 19:44 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:45 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 19:46 -!- SpeakerToMeat [~SpeakerTo@prgmr/customer/SpeakerToMeat] has joined #openvpn 19:47 < SpeakerToMeat> Hello 19:47 < SpeakerToMeat> Question, if I make a crl with the help of revoke-full in the scripts, and revoke a few certs, I can move/archive/rm these certs and create new ones with the same name (and use them), right? 19:54 < hays> Is there a way t optimize openvpn to reduce packets per second? I'm getting flagged as a source of a DOS by my provider due to high PPS (~50,000) 20:08 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 20:44 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has quit [Remote host closed the connection] 20:46 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 21:12 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has joined #openvpn 21:16 -!- tobinski___ [~tobinski@x2f5c479.dyn.telefonica.de] has joined #openvpn 21:19 -!- tobinski_ [~tobinski@x2f59970.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 22:06 -!- hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 22:09 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 22:19 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 22:35 -!- weox [uid112413@gateway/web/irccloud.com/x-ybgdgmvwsblznxjk] has quit [Quit: Connection closed for inactivity] 23:08 -!- LogicalUnit [~LogicalUn@124.168.214.125] has joined #openvpn 23:10 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has joined #openvpn 23:11 < LogicalUnit> Hi everyone, I'm having trouble with my VPN gateway. I'm trying to bridge 2 networks by dialing into the same VPN server. I can ping the gateway's VPN IP and local IP, but can't access the rest of its local network. I'm not seeing the VPN -> LAN mapping when I initialise VPN 23:19 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 23:20 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 23:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:34 -!- ShadniX [dagger@p5DDFD7AB.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:36 -!- ShadniX [dagger@p5481DE9D.dip0.t-ipconnect.de] has joined #openvpn 23:40 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:56 -!- weox [uid112413@gateway/web/irccloud.com/x-gxqkhynctkdsnung] has joined #openvpn --- Day changed Sat Jan 23 2016 00:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:08 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:10 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:10 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:39 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 00:42 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:44 -!- LogicalUnit [~LogicalUn@124.168.214.125] has quit [Read error: Connection reset by peer] 00:47 -!- LogicalUnit [~LogicalUn@124.168.214.125] has joined #openvpn 00:48 < LogicalUnit> I just made a post on the openvpn forums as a new user. How long does it take to approve? 00:57 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:40 -!- LogicalUnit [~LogicalUn@124.168.214.125] has quit [Ping timeout: 276 seconds] 01:46 -!- themayor [~themayor@unaffiliated/themayor] has quit [Quit: ZNC - http://znc.in] 01:48 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 02:05 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 02:19 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn 02:20 < azizLIGHT> hello, can i cancel this command "openssl dhparam -out /etc/openvpn/dh2048.pem 2048" and do it later 02:20 < azizLIGHT> i want to upgrade openssl first 02:20 < azizLIGHT> im trying to setup the CA and such 02:51 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has joined #openvpn 02:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has quit [Client Quit] 02:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has joined #openvpn 03:06 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has quit [Quit: Leaving] 03:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 03:40 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 03:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:42 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds] 03:43 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 05:02 < azizLIGHT> can i have multiple ... and ... inside one ovpn profile? 05:05 < azizLIGHT> like client1client2client3client1client2client3 05:07 < hiya> ok 05:07 < hiya> azizLIGHT, ctrl + c or z 05:07 < azizLIGHT> what? 05:08 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds] 05:09 < azizLIGHT> hiya: i dont understand 05:10 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 05:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:11 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 05:45 -!- weox [uid112413@gateway/web/irccloud.com/x-gxqkhynctkdsnung] has quit [Quit: Connection closed for inactivity] 05:55 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 06:14 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 06:50 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 07:00 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 07:01 -!- atralheaven [~atralheav@151.238.80.8] has joined #openvpn 07:03 < atralheaven> how an openvpn account can be abused and cause trouble for the server owner? 07:07 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 07:08 -!- atralheaven [~atralheav@151.238.80.8] has quit [Ping timeout: 240 seconds] 07:09 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 07:16 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 07:22 -!- weox [uid112413@gateway/web/irccloud.com/x-ierfdksgvmhpvnmr] has joined #openvpn 07:41 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 07:41 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has joined #openvpn 07:41 < MalekAlrwily> Hi. 07:42 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 07:43 < MalekAlrwily> Is it possible to create an OpenVPN server and make all clients acts like in the same LAN? 07:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 07:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:05 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has quit [Quit: Page closed] 08:10 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 08:11 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:16 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 256 seconds] 08:17 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:27 < hiya> hi 08:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:57 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 09:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 09:36 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 09:36 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 10:06 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 10:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 10:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 10:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:26 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:51 < hiya> ecrist, Can you please take a look at my server conf? 10:58 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX-1.2.1 -- just do it.] 11:01 < hiya> ecrist, I Pmed you kindly take a look and correct if some errors or not written well :) please, also add some tips, I beg of you 11:01 < hiya> I don't beg but its humble request 11:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:34 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has joined #openvpn 11:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 11:51 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 11:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 11:55 -!- chachasmooth [~chachasmo@p4FF8FB62.dip0.t-ipconnect.de] has joined #openvpn 12:00 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX: not a flotation device] 12:00 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX: so real, you'll wet yourself!] 12:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:30 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 12:36 -!- _Sam-- [~asasd@unaffiliated/greybits] has joined #openvpn 12:37 < _Sam--> Hi, am noticing when I start openvpn that it is making a listening port on a high port number (random), but I don't have it configured to listen, and i'm only running a client and not a server.....does anyone know what the listening port from openvpn is on like port 38000-50000 random? 12:38 < _Sam--> udp 0 0 0.0.0.0:54507 0.0.0.0:* 32762/openvpn 12:39 < _Sam--> i even tried making openvpn from source to make sure i didnt have a bad binary or something, but same thing. 13:09 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 13:25 -!- darxun [darxun@crew.of.the.worldwide.famous.micros0ft.dk] has left #openvpn [] 13:33 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has quit [Read error: No route to host] 14:51 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:55 < MrAlexandr0> what is tcp overflow? 15:01 < hiya> why won't cli-openvpn respect DNS push? 15:02 < hiya> Also does Network Manager plugin use latest OpenVPN if we use OpenVPN repo and upgrade it? 15:02 < dasmkjhdksa> this guy dont respect noone i tell ya 15:02 < dasmkjhdksa> :) 15:03 < Neighbour> _Sam--: odd, I am noticing the same thing...I have no idea why openvpn opens up a listening UDP port in client mode 15:03 < hiya> ? 15:34 < _Sam--> Neighbour, thank you, at least i know it's not just me. if you can find anything in the source, please let me know. 15:57 -!- s7r_ is now known as s7r 16:01 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 16:03 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 16:06 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 265 seconds] 16:24 < Neighbour> _Sam--: I might have a hypothesis...UDP is connectionless, so both sides (server, client) basically toss UDP packets at eachother and wait for a reply. In order to be able to receive incoming UDP packets, a process must listen for them. 16:27 < _Sam--> well im connected to the openvpn server fine. and nothing is connected to the udp listening port. so how is this essential for anything? 16:31 < _Sam--> ive also used tcpdump to make sure nothing is connecting to it, and it isn't....yet my vpn works fine. so i must toss your hypothesis out the window. 16:31 < Neighbour> try a tcpdump while the tunnel is being used...check the dst port of incoming packets from the openvpn server 16:31 < Neighbour> it should match the port that the client is listening on 16:32 < _Sam--> thank you, i will double check it. 16:32 < Neighbour> (unless, of course openvpn is configured to use tcp instead of udp, but in that case I would not expect the client to have an open UDP listening port at all) 16:34 < _Sam--> Neighbour, thank you, again. I must say, I was wrong, and you were right. When I double check tcpdump I do see exactly what you said I would. Thank you. 16:34 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 16:34 < Neighbour> np, glad I could help 16:35 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 16:37 < _Sam--> thanks again, peace. 16:37 -!- _Sam-- [~asasd@unaffiliated/greybits] has quit [Quit: Leaving] 16:43 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:09 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 17:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:31 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Quit: leaving] 18:49 -!- cirdan [~cirdan@c-73-197-122-148.hsd1.nj.comcast.net] has joined #openvpn 18:50 < cirdan> Hi. I have a routed openvpn network that works well except for 1 thing. I need to access a host like it was on the vpn side, but it's on the lan side. is there some way I can forward all traffic from vpn-ip-12 to lan-ip-44, where vpn-ip-12 can by any up 18:50 < cirdan> ip 18:52 < cirdan> the host I want to talk to is an xbox 1 so I can't have it connect to the vpn 19:02 < cirdan> can I use snat or something? 19:18 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 19:44 -!- dasmkjhdksa [~dd62@43.225.199.66] has quit [Ping timeout: 250 seconds] 19:45 -!- fred`` [fred@earthli.ng] has left #openvpn ["Leaving"] 19:47 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has quit [Quit: ZNC - http://znc.in] 19:54 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has joined #openvpn 20:53 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 21:00 -!- toli [~toli@ip-83-134-71-71.dsl.scarlet.be] has joined #openvpn 21:14 -!- tobinski_ [~tobinski@x2f5498e.dyn.telefonica.de] has joined #openvpn 21:16 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Ping timeout: 240 seconds] 21:18 -!- tobinski___ [~tobinski@x2f5c479.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:23 -!- AfroThundr [~AfroThund@mobile-166-171-059-179.mycingular.net] has joined #openvpn 21:23 -!- AfroThundr [~AfroThund@mobile-166-171-059-179.mycingular.net] has quit [Max SendQ exceeded] 21:35 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 21:41 -!- chachasmooth [~chachasmo@p4FF8FB62.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 21:41 -!- chachasmooth [~chachasmo@p4FC5F831.dip0.t-ipconnect.de] has joined #openvpn 21:58 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 21:58 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 21:58 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 21:58 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 22:25 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 22:59 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 23:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 23:34 -!- ShadniX [dagger@p5481DE9D.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:35 -!- ShadniX [dagger@p5481D8AC.dip0.t-ipconnect.de] has joined #openvpn 23:40 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 23:52 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn --- Day changed Sun Jan 24 2016 00:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 00:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 00:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 00:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 00:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] It's game over, man! game over!] 00:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:57 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has joined #openvpn 01:59 < hiya> !goal 01:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:59 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 01:59 < hiya> ecrist, Did you see? 01:59 < hiya> :) 02:04 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 260 seconds] 02:08 < MalekAlrwily> Hi 02:12 < hiya> MalekAlrwily, What's up my man? 02:14 < MalekAlrwily> hiya: I want to create OpenVPN server and make all clients acts like in the same lan. is this possible? 02:15 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 02:16 < hiya> MalekAlrwily, acti like in the same lan as if you want clients to talk to each other? 02:16 -!- ustn [~ustn@p4FDB0FE8.dip0.t-ipconnect.de] has joined #openvpn 02:16 < MalekAlrwily> hiya: exactly 02:17 < hiya> MalekAlrwily, client-to-client 02:17 < hiya> MalekAlrwily, Do you want me to write a configuration for oyu? 02:17 < MalekAlrwily> hiya: yes please :D 02:18 < hiya> I charge 10 USD 02:18 < hiya> hehe 02:18 < hiya> in Bitcoins 02:18 < MalekAlrwily> lol 02:19 < MalekAlrwily> no thanks I will create it my self :) 02:20 < hiya> https://openvpn.net/index.php/open-source/documentation/howto.html#config 02:20 <@vpnHelper> Title: HOWTO (at openvpn.net) 02:20 < hiya> MalekAlrwily, ^ 02:20 < hiya> check this "client-to-client" 02:20 < hiya> is the key to success :) 02:34 < MalekAlrwily> hiya: I can't understand this (you won't need this if the OpenVPN server box is the gateway for the server LAN) 02:34 < MalekAlrwily> on normal vps what it would like to be? 02:35 < hiya> MalekAlrwily, you have to route them on lan IPs 02:36 < hiya> Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server. 02:36 < MalekAlrwily> yeah I understood this 02:37 < MalekAlrwily> hiya: Could you please explain the route point? 02:38 < hiya> MalekAlrwily, give me your server.conf 02:38 < hiya> I would edit 02:38 < hiya> and it would be fine 02:38 < hiya> :) 02:38 < MalekAlrwily> lol wait I haven't created one yet 02:40 < hiya> MalekAlrwily, What is your aim? 02:42 < MalekAlrwily> I want to create an OpenVPN server, all my friends will connect to it and we can play games, and hope it supports both udp and tcp 02:42 < MalekAlrwily> hiya: ^ 02:42 < hiya> I think you need client side routing 02:44 < MalekAlrwily> I want the server route it, because ISP blocks incoming connections 02:44 < MalekAlrwily> hiya: is it clear? 02:45 < hiya> ok 02:45 < MalekAlrwily> ty 02:45 < hiya> client-to-client should work for you 02:46 < MalekAlrwily> btw I will use it on linux, so please tell me if I need to do something else 02:54 -!- Tinyyy [~textual@175.156.198.127] has joined #openvpn 02:56 -!- Tinyyy [~textual@175.156.198.127] has quit [Client Quit] 02:57 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 02:57 -!- Tinyyy [~textual@175.156.198.127] has joined #openvpn 02:59 -!- Tinyyy [~textual@175.156.198.127] has quit [Client Quit] 03:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:04 < hiya> MalekAlrwily, is it done? 03:04 < hiya> just write something 03:04 < hiya> :) 03:08 < MalekAlrwily> hiya: just 1m 03:09 < MalekAlrwily> hiya: is it ok to use tcp and udp at the same time? 03:09 < hiya> MalekAlrwily, no always use UDP for gaming :) 03:10 < MalekAlrwily> hiya: and I can access websites as well? 03:13 < hiya> yep 03:13 < hiya> everything 03:18 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-cocflilrtkrvqtnd] has joined #openvpn 03:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:39 < MalekAlrwily> hiya: http://pastebin.com/4p2chKsw 03:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 03:41 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:41 < MalekAlrwily> I enabled push "redirect-gateway" to make openvpn route all clients traffic (including websites) 03:41 < MalekAlrwily> is that right or should I disable it? 03:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 03:43 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:44 < hiya> keep it 03:44 < hiya> MalekAlrwily, I need to edit it 03:44 < hiya> wait 03:45 < MalekAlrwily> take your time 03:45 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Quit: Bye] 03:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:47 < hiya> MalekAlrwily, keep the money ready 03:47 < hiya> hehe 03:48 < MalekAlrwily> it's trial this time xD 03:50 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 03:51 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:54 -!- chachasmooth [~chachasmo@p4FC5F831.dip0.t-ipconnect.de] has quit [Changing host] 03:54 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 03:56 < hiya> https://spit.mixtape.moe/view/3fdffc0e#9aImbjJ4ItEoFzZDxRKY6EkbwdlLYmZw 03:56 <@vpnHelper> Title: server.conf - Mixtape Paste (at spit.mixtape.moe) 03:56 < hiya> MalekAlrwily, ^ 03:56 < hiya> :) 03:57 < MalekAlrwily> hiya: ty 03:59 < hiya> https://spit.mixtape.moe/view/c16f75f5 03:59 <@vpnHelper> Title: client.conf - Mixtape Paste (at spit.mixtape.moe) 03:59 < hiya> MalekAlrwily, ^ 03:59 < hiya> :) 04:00 < hiya> MalekAlrwily, if you need more help, I invited you to my chan 04:08 < MalekAlrwily> hiya: invite me 04:09 < hiya> MalekAlrwily, I did twice 04:09 < MalekAlrwily> oh sorry 04:10 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 04:11 < atralheaven> Hello 04:12 < hiya> atralheaven, hey 04:20 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:21 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:32 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:42 -!- atralheaven [~atralheav@37.48.90.208] has quit [Ping timeout: 272 seconds] 04:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:47 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:48 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 05:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 05:20 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [K-Lined] 05:37 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-cocflilrtkrvqtnd] has quit [Quit: Connection closed for inactivity] 05:40 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 05:43 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:43 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:53 -!- ^cj^ is now known as ^CJ^ 05:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:04 -!- ustn [~ustn@p4FDB0FE8.dip0.t-ipconnect.de] has quit [Quit: ustn] 06:07 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 265 seconds] 06:10 -!- atralheaven [~atralheav@151.238.80.8] has joined #openvpn 06:11 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:11 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 06:12 < atralheaven> hiya: I want to increase encryption key length, how can I do it? 06:12 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:12 < atralheaven> hiya: should client .ovpn file be changed too? 06:16 -!- dasmkjhdksa [~dd62@43.225.199.66] has joined #openvpn 06:21 < hiya> atralheaven, both has to be changed 06:21 < hiya> you can use 06:22 -!- atralheaven [~atralheav@151.238.80.8] has quit [Ping timeout: 256 seconds] 06:22 < hiya> atralheaven, use tls-version-min 1.2 06:22 < hiya> in server.conf 06:22 < hiya> cipher AES-256-CBC 06:22 < hiya> auth SHA512 06:22 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 06:22 < hiya> atralheaven, Do you follow? 06:22 < atralheaven> hiya: sorry I got disconnected 06:23 < atralheaven> may you send me what you said again? 06:23 < hiya> hiya> atralheaven, use tls-version-min 1.2 06:23 < hiya> in server.conf 06:23 < hiya> cipher AES-256-CBC 06:23 < hiya> auth SHA512 06:23 < hiya> atralheaven, Also share your configuration files 06:23 < hiya> I might be able to edit and help 06:24 < atralheaven> sure, the last time I that I setup openvpn server I used a script 06:24 < hiya> Do not use a script ever 06:24 < hiya> I do not like it 06:24 < hiya> esp. when we are in learning mode 06:25 < hiya> _FBi, how do you isolate each client's traffic? so that they cannot scan each other? 06:25 < atralheaven> actually first time I had hard time setting it up! but I did it well :) 06:25 < hiya> ok 06:25 < hiya> That is awesome bro 06:25 < atralheaven> I need to be able to revoke a client easily 06:26 < hiya> ./revoke-all 06:26 < atralheaven> I wrote a script that could make a client 06:26 < hiya> ./revoke-all client 06:26 < hiya> its all there in easy-rsa 06:26 < atralheaven> yes 06:26 < hiya> I am waiting for OpenVPN 2.3.4 06:26 < hiya> oops I mean 06:26 < hiya> 2.4.x* 06:26 < atralheaven> what has been changed? 06:26 < hiya> ECDHE support 06:26 < hiya> :) 06:26 < hiya> for tls-cipher 06:27 < hiya> it would be the best then 06:27 < hiya> also it might have support for better cipher for Data channels 06:27 < hiya> like GCM 06:27 < hiya> AES-256-GCM or chachapoly20 06:27 < atralheaven> do you use openvpn it for your personal use? 06:27 < atralheaven> when will it be out?! 06:28 < hiya> I host a community server and provide service to people for nocharge | donation based 06:28 < atralheaven> great!! 06:28 < atralheaven> will you help me to setup my own? I know most of stuff but I need to make it better 06:28 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 06:29 < hiya> Sure 06:34 -!- DrCode [~DrCode@5.28.134.3] has quit [Ping timeout: 265 seconds] 06:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:39 -!- allizom [~Thunderbi@87.18.174.87] has joined #openvpn 06:42 -!- atralheaven [~atralheav@37.48.90.208] has quit [Read error: Connection reset by peer] 06:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 06:57 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 07:02 < hiya> Anyone here into hardening? 07:05 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 07:24 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 07:26 -!- zamber [~zamber@78.8.105.64] has quit [Read error: Connection reset by peer] 07:27 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 07:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:52 -!- allizom [~Thunderbi@87.18.174.87] has quit [Quit: allizom] 08:04 -!- noodle [~noodle@2601:601:600:fc0e:d250:99ff:fe84:56e8] has quit [Quit: /quit] 08:11 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:16 -!- Mazhive [~peter@telbo-200-6-151-93.cust.telbo.net] has joined #openvpn 08:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:19 < Mazhive> hello is there anybody who can help me with the connection between a client and server because as i think i cannot fully understand the communication between each other . according to the server.conf and or client.conf/client.ovpn /server.conf 08:20 < Mazhive> i am using a openvpn server on a debian and a client openvpn on a fedora 22 08:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 276 seconds] 08:48 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:50 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:09 -!- noodle [~noodle@2601:601:600:fc0e:d250:99ff:fe84:56e8] has joined #openvpn 09:17 -!- krthnz [~krthnz@unaffiliated/krthnz] has joined #openvpn 09:21 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:35 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:37 < Mazhive> Authenticate/Decrypt packet error: cipher final failed can some one explain how i can solve this 09:42 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 09:45 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:48 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 09:53 -!- ^CJ^ is now known as ^cj^ 10:06 < Mazhive> why is it sooo dificult to get it working it is realy getting on my nervs.. 10:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 10:31 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has quit [Ping timeout: 252 seconds] 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:05 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 264 seconds] 11:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] skyroveRR has no reason... just kidding :)] 11:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:07 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 11:23 -!- DrCode [~DrCode@5.28.134.3] has quit [Remote host closed the connection] 11:24 -!- CaTtleyA1 [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 11:36 -!- CaTtleyA1 [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 11:36 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 11:36 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has joined #openvpn 11:37 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 11:38 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 11:40 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has quit [Client Quit] 11:50 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has joined #openvpn 12:07 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has quit [Read error: Connection reset by peer] 12:34 < hiya> how much time can DH gen take? 12:34 < hiya> 4k? 12:35 < Neighbour> depends on the speed of your system...but on average not more than a couple of minutes 12:39 < hiya> DH gen on DO 512MB VPS taking over 1h 40m now, 4096-bit group 12:54 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 12:59 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 13:08 < Neighbour> on my 1.86GHz atom D2550 it takes 27.5mins to generate a 4k DH parameter 13:08 < Neighbour> so my initial estimate of 'couple' of minutes was a bit off :) 13:09 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:19 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 13:24 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 272 seconds] 13:38 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 245 seconds] 13:44 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 13:47 < hiya> openssl dhparam -out dh4096.pem 4096 13:47 < hiya> same ad ./build-dh ? 13:47 < hiya> with KEY_SIZE=4096 13:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 14:01 -!- dancrew32 [~dancrew32@c-71-198-130-216.hsd1.ca.comcast.net] has joined #openvpn 14:08 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has quit [Ping timeout: 260 seconds] 14:39 -!- dancrew32 [~dancrew32@c-71-198-130-216.hsd1.ca.comcast.net] has quit [Remote host closed the connection] 15:18 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 15:35 -!- bithon [~bithon@unaffiliated/bithon] has joined #openvpn 16:01 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 260 seconds] 16:17 -!- MogDog [~mogdog@mog.dog] has quit [Quit: Server shutdown] 16:17 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 16:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:09 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 17:28 -!- skibur [~skibur@cpe-66-25-132-26.satx.res.rr.com] has joined #openvpn 17:28 < skibur> hello 17:28 < skibur> Morning/Afternoon/Evening 17:29 < skibur> I would like to reserve a VPN ip to forward to another IP outside of the VPN. How can I set that up via OpenVPN? 17:33 < skibur> :( 17:36 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer] 17:42 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 17:44 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.] 18:01 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 276 seconds] 18:22 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has joined #openvpn 18:23 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 18:24 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 18:44 < skibur> exit 18:44 -!- skibur [~skibur@cpe-66-25-132-26.satx.res.rr.com] has left #openvpn [] 19:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 19:33 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 264 seconds] 19:46 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 264 seconds] 19:47 -!- MogDog [~mogdog@mog.dog] has quit [Ping timeout: 264 seconds] 19:54 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 19:54 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 20:03 -!- Hadi [~Instantbi@31.59.54.195] has quit [Ping timeout: 264 seconds] 20:10 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 20:14 -!- Denial- [~Denial@81.141.23.61] has joined #openvpn 20:15 -!- Denial [~Denial@5.80.235.183] has quit [Ping timeout: 265 seconds] 20:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds] 20:31 -!- MalekAlrwily [5a943adf@gateway/web/freenode/ip.90.148.58.223] has joined #openvpn 20:31 < MalekAlrwily> Hi 20:32 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has joined #openvpn 20:32 < MalekAlrwily> when I type "openvpn server.conf" nothing happens, it exits immediately 20:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 20:57 < dyce> whats the difference using tun and tap 20:58 < dyce> I want to use openvpn just so I can directly connect to other computers who are using the vpn 20:58 < dyce> so I don't want to route traffic over it (change the clients ip) 20:58 < dyce> i do want to ping other vpn clients 20:58 -!- jnmtx [~jnmtx@abra.me] has joined #openvpn 21:01 < subzero79> MalekAlrwily, check the logs, if the log file is pointed in server.conf comment it with ; so you can actually see the error in foreground 21:02 < MalekAlrwily> subzero79: ok I'll try 21:13 -!- tobinski___ [~tobinski@x2f5b526.dyn.telefonica.de] has joined #openvpn 21:17 -!- tobinski_ [~tobinski@x2f5498e.dyn.telefonica.de] has quit [Ping timeout: 256 seconds] 21:24 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds] 21:25 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has quit [] 21:28 < MalekAlrwily> subzero79: is tls auth required? 21:29 < subzero79> MalekAlrwily, don't know what you want 21:29 < subzero79> in terms i don't know what you want to achieve 21:30 < MalekAlrwily> subzero79: can I use openvpn without tls? is it optional or required? 21:30 < subzero79> optional 21:31 -!- jnmtx [~jnmtx@abra.me] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 21:31 -!- abra0 [znc-admin@unaffiliated/abra0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 21:32 < MalekAlrwily> subzero79: this is my server.conf file http://pastebin.com/p4RFbtGu , please check it. which lines should I remove to disable tls? 21:36 < subzero79> tls key i am guessing 21:40 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 276 seconds] 21:40 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:41 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:42 < subzero79> What was the error in the log MalekAlrwily ? 22:15 < hiya> MalekAlrwily, What is the problem? 22:15 -!- MalekAlrwily [5a943adf@gateway/web/freenode/ip.90.148.58.223] has left #openvpn [] 22:23 -!- daniel_j [~daniel@relaxing.in.the.stars.because-of.science] has joined #openvpn 22:25 < daniel_j> I'm on a linux box attempting to connect to the FrootVPN service, the client connects (i'm forced to use sudo) and is able to ping out to websites, however only a few select websites work - yet I can still ping the ones that have an ERR_EMPTY_RESPONSE error. And the sites that work are unbelievably slow. I'm guessing an issue like this is common place, any info on how I could go about fixing it? 22:28 < daniel_j> 9afk 22:35 < hiya> hey 22:36 < hiya> Hey I want to know how to isolate clients traffic in OpenVPN? so that they cannot scan each other's private IP range 22:36 < hiya> etc 22:45 < illuminated_> don't push routes or iroutes 23:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:01 <@plaisthos> !client-to-client 23:01 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 23:01 <@vpnHelper> other clients 23:02 <@plaisthos> illuminated_: clients can still add the routes on their own 23:09 < hiya> illuminated_, ok 23:09 < hiya> plaisthos, how do I isolate client traffic? 23:10 <@plaisthos> hiya: use iptables 23:14 < hiya> ok, I know but I don't know how to :) 23:14 < hiya> Cannot ioctl TUNSETIFF tun0: File descriptor in bad state (errno=77) 23:14 < hiya> plaisthos, ^ what does it mean? 23:15 < hiya> tun not available right? Could be OpenVZ VPS 23:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:31 -!- boneskull [~boneskull@108.62.153.107] has joined #openvpn 23:33 -!- ShadniX [dagger@p5481D8AC.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:34 < boneskull> I'm sure I have a basic misunderstanding of how things work, but this is my question: Is it possible to open a port on my client when connected to an OpenVPN server? is this something that needs to happen at my router level, or at the OpenVPN server level, or both, or what? 23:34 -!- ShadniX [dagger@p5DDFE78F.dip0.t-ipconnect.de] has joined #openvpn 23:35 < hiya> boneskull, Server level and your client firewall should support :) 23:35 -!- Hadi [~Instantbi@31.59.54.195] has quit [Remote host closed the connection] 23:39 < boneskull> hiya thanks. my router's firewall has nothing to do with it? 23:45 < boneskull> ahh, I figured it out. thanks 23:45 -!- boneskull [~boneskull@108.62.153.107] has quit [] 23:58 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:59 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 264 seconds] --- Day changed Mon Jan 25 2016 00:00 < hiya> can anyone help me with "Ethernet-style" VPN setup? 00:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:15 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 00:16 < hiya> Should we use tap or tun if we want all the client to be on LAN when connected to VPN? 00:16 < hiya> plaisthos, ^ 00:28 < hiya> The client-to-client directive can also be used in TUN-style networks. It works in exactly 00:28 < hiya> the same manner as in this recipe, except that the OpenVPN clients do not form a single 00:28 < hiya> broadcast domain. 00:28 < hiya> what does it mean? 00:29 -!- abra0 [znc-admin@unaffiliated/abra0] has joined #openvpn 00:39 < hiya> Do I need a simple non-bridged conf TAP? 00:55 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 01:13 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 01:25 -!- weox [uid112413@gateway/web/irccloud.com/x-ierfdksgvmhpvnmr] has quit [Quit: Connection closed for inactivity] 01:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 02:01 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 02:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 02:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 02:16 <@plaisthos> !net101 02:16 <@vpnHelper> "net101" is http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example 02:17 <@plaisthos> hm no 02:17 <@plaisthos> !tap 02:17 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 02:17 <@plaisthos> !tun 02:17 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 02:17 <@plaisthos> !tun 02:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 02:27 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Remote host closed the connection] 02:44 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Quit: leaving] 02:46 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 02:59 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has quit [Read error: Connection reset by peer] 03:10 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 265 seconds] 03:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 03:33 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:36 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 03:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:47 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 260 seconds] 03:48 -!- dazo_afk is now known as dazo 04:02 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 04:03 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Client Quit] 04:04 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Been around the world and found that only stupid people are breeding.] 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 04:15 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 04:21 < hiya> plaisthos, Should I use tab? 04:21 < hiya> tap* 04:22 <@plaisthos> hiya: See 04:22 <@plaisthos> !tun-or-tap 04:22 <@plaisthos> !tuntap 04:22 <@plaisthos> !tun 04:22 <@plaisthos> hm 04:22 <@plaisthos> !tap 04:22 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 04:22 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:22 <@plaisthos> !tunortap 04:22 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 04:22 <@vpnHelper> rooted/jailbroken) support only tun 04:22 < hiya> plaisthos, I want all the users to be in lan after they connect to VPN 04:23 < hiya> lan gaming :) 04:23 < hiya> tap 04:23 < hiya> heheh 04:23 < hiya> plaisthos, but Sir, Do we still have to push "route" 04:23 < hiya> or server 10.0.8.0 255.255.255.0 is fine? 04:24 < hiya> Are the clients automatically provided with LAN IP? 04:25 < hiya> 192.168.0.4 etc etc 04:25 < hiya> on server side? 04:26 -!- ^cj^ is now known as ^CJ^ 04:27 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has joined #openvpn 04:27 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:29 <@plaisthos> hiya: just read the tutorial or try it out 04:30 < hiya> plaisthos, I do not see any tutorial for tap 04:30 < hiya> Do you know any? 04:30 < hiya> !tap 04:30 < hiya> !tap 04:30 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 04:30 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:30 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 04:30 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:30 < hiya> ok 04:31 < hiya> plaisthos, my use case i.e lan gaming do not require bridging right? 04:32 <@plaisthos> hiya: if you don't use old (as in 90is/early 2000) games it should work with tun 04:33 <@plaisthos> if you these games insist on doing weird non IP broadcasts or IPX or something strange like that, you need tap 04:33 < hiya> just need client-to-client? 04:33 < hiya> or push "route" 04:33 < hiya> too 04:33 < hiya> I think I need 04:33 < hiya> server 192.168.99.0 255.255.255.0 04:33 < marcoslater> Any good tutorials on how to set up OpenVPN with Elliptic Curves instead of RSA? 04:34 < hiya> marcoslater, wait for 2.4 04:34 < hiya> for EC crypto mode 04:35 < marcoslater> Ah, I presume its not fully supported now, then? 04:35 < hiya> push "route 10.0.99.0 255.255.255.0" 04:35 < hiya> marcoslater, no, I don't think so 04:35 < hiya> plaisthos, kindly help 04:35 < hiya> plaisthos, Do you know any book with complex stuff? 04:35 <@plaisthos> !book 04:36 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 04:37 < hiya> vpnHelper, Both of them does explain Ethernet-style OPenVPN but it is not clear :( 04:37 < hiya> I read them 04:37 < hiya> I guess I can only try and know 04:37 < hiya> now 04:37 < hiya> plaisthos, What does push "route .... " do? 04:37 < hiya> why do we have to do it? 04:37 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn 04:37 < hiya> I think it is only required in tun-style? 04:40 < hiya> plaisthos, I think tun is fine too thanks, I would gain access of friend's VPS who want it and get back 04:41 < hiya> I just do not understand this push "route ......" 04:41 < hiya> ahhhhhh 04:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:49 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 04:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 04:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 05:02 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 05:02 -!- alex1723841 [~Adium@37.208.120.215] has joined #openvpn 05:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 245 seconds] 05:15 -!- mzf [~mzf@unaffiliated/mzf] has joined #openvpn 05:16 < mzf> hi. i have 2 servers and i set up an openvpn remote connection from A to B. 05:16 < mzf> the problem is, B can not ping A until i run another ping from A to B and then ping works both ways until some amount of time 05:16 < mzf> and then again 05:16 < mzf> any idea? 06:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:04 < defsdoor> mzf, vpn actually up ? running keepalive ? 06:05 < defsdoor> does server A connect to server B ? 06:05 < mzf> defsdoor: yeah it's up. keepalive how can i check? 06:05 < mzf> defsdoor: yeah it does 06:06 < defsdoor> add keepalive 06:06 < defsdoor> something along your path is dropping the connection tracking of the UDP connection 06:06 < defsdoor> because A doesnt talk to B in a while 06:07 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:07 < mzf> i guess so 06:07 < defsdoor> add ping 15 06:07 < defsdoor> and keepalive 10 60 06:07 < mzf> the whole connection is on a cisco gre tunnel. that might be... 06:07 < defsdoor> for sure 06:09 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 06:09 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 06:09 <+DelphiWorld> hi guys! 06:10 <+DelphiWorld> i am runing a openvpn tap server 06:10 <+DelphiWorld> but the tap0 isn't getting any ip 06:10 <+DelphiWorld> http://paste.debian.net/368059/ 06:11 <+DelphiWorld> !heartbleed 06:11 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 06:11 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 06:16 -!- weox [uid112413@gateway/web/irccloud.com/x-kgivveyjphgxfspx] has joined #openvpn 06:22 <@plaisthos> DelphiWorld: 06:22 <@plaisthos> !config 06:22 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 06:22 <@plaisthos> hm 06:22 < mzf> defsdoor: thanks. seems that adding keepalive fixed it for now. 06:22 <@plaisthos> DelphiWorld: can you post your config? 06:22 <@plaisthos> !pastebin 06:22 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 06:22 <+DelphiWorld> plaisthos: the ip should be assigned to the bridge, right? 06:24 <+DelphiWorld> plaisthos: my conf: http://paste.debian.net/368059/ 06:24 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 06:24 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: allizom] 06:24 -!- mzf [~mzf@unaffiliated/mzf] has quit [Quit: Leaving] 06:25 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:28 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 06:36 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 06:38 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Remote host closed the connection] 06:38 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 06:38 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 06:38 <+DelphiWorld> plaisthos: got my config? 06:39 <@plaisthos> DelphiWorld: yes 06:40 <@plaisthos> server-bridge is designed that hte server itself should not have an IP 06:40 <@plaisthos> if the server should get an ip look at server 06:40 <+DelphiWorld> plaisthos: so what should i do? 06:40 <+DelphiWorld> plaisthos: i want the ip to stay at the bridge if pocible, not at the tap device 06:40 <@plaisthos> DelphiWorld: the man page even thats 06:40 <@plaisthos> Next you you must manually set the IP/netmask on the bridge interface. 06:41 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:41 <@plaisthos> DelphiWorld: that is outside of OpenVPN 06:41 <@plaisthos> how you configure your br0 device 06:41 <@plaisthos> did you read the manpage entry for server-bridge? 06:41 <+DelphiWorld> plaisthos: i did but i'm confused with openvpn... 06:46 <@plaisthos> DelphiWorld: yes, yes what I got. You complained that there is no ip on tap0 and then tell me that you also don't want a IP on tap0 06:50 -!- alex1723841 [~Adium@37.208.120.215] has quit [Quit: Leaving.] 07:01 <+DelphiWorld> plaisthos: lol... confusion 07:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 07:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 07:11 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 07:16 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 07:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 07:18 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 07:18 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 07:19 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Read error: Connection reset by peer] 07:20 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:22 <+DelphiWorld> plaisthos: there's my iface file: http://paste.debian.net/368100/ 07:23 <+DelphiWorld> and my server.conf: http://paste.debian.net/368101/ 07:23 <+DelphiWorld> i duno why my client can't ping my server 07:24 <@plaisthos> !goal 07:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:24 <@plaisthos> I have no idea what you are trying to achieve 07:24 <+DelphiWorld> i am bridging several lan through my openvpn server 07:25 <@plaisthos> into one huge lan, broadcast? 07:25 <@plaisthos> Wouldn't recommend that, but sure why not 07:27 <+DelphiWorld> plaisthos: yes, but small lans 07:27 <+DelphiWorld> 2 pc per lan, 3 lans 07:27 <@plaisthos> DelphiWorld: your problem is not clear to me 07:27 <+DelphiWorld> plaisthos: you saw my config. 07:28 <+DelphiWorld> my client connect and get the ip 07:28 <@plaisthos> DelphiWorld: yes 07:28 <@plaisthos> yes 07:28 <+DelphiWorld> but no one can ping 07:28 <+DelphiWorld> client can't ping server, server can't ping client 07:28 <@plaisthos> !flowchart 07:28 <@plaisthos> !flow-chart 07:28 <@plaisthos> :/ 07:28 <+DelphiWorld> :P 07:28 < hiya> DelphiWorld, What are you trying to do? 07:28 <+DelphiWorld> what's flowshare? 07:29 <+DelphiWorld> hid3, bridge lans using tap 07:29 <@plaisthos> DelphiWorld: try to debug with brctl 07:29 <+DelphiWorld> hiya: bridge lan using tap 07:29 <@plaisthos> check if the tap devices are really connect 07:29 <@plaisthos> if you see the macs on the interfaces 07:29 <@plaisthos> etc. 07:29 <@plaisthos> also try tcpdump on client/server 07:29 <+DelphiWorld> ok, let me try brctl 07:30 <+DelphiWorld> tcpdump is odd for me due to my pc usage natuve 07:30 <@plaisthos> try the individual openvpn configs with --server instead --server-bridge 07:30 <@plaisthos> tcpdump is a basic network diagnosis tool 07:30 < hiya> DelphiWorld, Are you into tap Ethernet-style OpenVPN? 07:31 <@plaisthos> you probably will sooner or later have to learn wireshark/tcpdump for debugging setups such as this 07:32 <+DelphiWorld> hiya: yep, exactly 07:34 <+DelphiWorld> plaisthos: my issue is text to speech 07:34 <@plaisthos> DelphiWorld: oh :/ 07:34 <+DelphiWorld> plaisthos: i use screen readers 07:34 <@plaisthos> sorry didn't know that 07:34 <+DelphiWorld> plaisthos: lol, not an issue :-P 07:34 <+DelphiWorld> hold on i'll be back 07:35 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Read error: Connection reset by peer] 07:36 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 07:37 < hiya> DelphiWorld, I want to setup VPN for gaming as if each user were on same LAN, what should I do? Can ou help with configuration? 07:37 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Client Quit] 07:38 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 07:39 -!- ^CJ^ is now known as ^cj^ 07:49 <+DelphiWorld> hiya: i am doing allmost the same 07:49 <+DelphiWorld> but i'm having an issue 07:49 <+DelphiWorld> if i do it i'll share 07:55 < hiya> whats the issue? 07:55 <+DelphiWorld> my client connect but can't ping server 07:56 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 07:57 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 07:57 < PhSnake> good afternoon all 08:00 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 08:04 < PhSnake> just a Q, does anyone know some OpenVPN client for android that has a widget for toggling VPN on/off? 08:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 08:08 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 08:08 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 08:08 <+DelphiWorld> yo 08:08 <+DelphiWorld> plaisthos: i think i got my issue 08:08 <+DelphiWorld> my bridge is auto creating the tap0 device 08:08 <+DelphiWorld> but openvpn if started it create the tap1, and not bridge it 08:10 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 08:10 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 08:12 < hiya> DelphiWorld, diid it work? 08:12 -!- PhSnake is now known as PhSnake_away 08:13 -!- PhSnake_away [~PhSnake@109-230-44-144.dynamic.orange.sk] has left #openvpn [] 08:14 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 08:15 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 250 seconds] 08:24 <+DelphiWorld> hiya: no 08:26 < hiya> DelphiWorld, I think you can even do tun ethernet-style OpenVPN 08:26 <+DelphiWorld> hiya: tun isn't ethernet, its tunneled 08:27 < DArqueBishop> DelphiWorld: it might help if you posted logs. 08:27 < DArqueBishop> !logs 08:27 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:27 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 08:27 <+DelphiWorld> DArqueBishop: hold on! 08:29 <@plaisthos> DelphiWorld: your problem is the space in the dev line 08:30 <+DelphiWorld> strange, plaisthos 08:30 <@plaisthos> dev tap0 instead of dev tap 0 08:30 <@plaisthos> the 0 is simply ignored 08:30 <+DelphiWorld> HAHA. 08:30 <+DelphiWorld> funy 08:30 <@plaisthos> (later 2.3 and 2.4 will warn/error out on that) 08:30 -!- litewait [~litewait@ool-4571f90d.dyn.optonline.net] has quit [Quit: litewait] 08:31 <+DelphiWorld> plaisthos: so dev tap0 will use existing / pre-created tap? 08:31 <@plaisthos> yes 08:31 <+DelphiWorld> awesome 08:32 <@plaisthos> you can even use more descriptive interface names 08:32 <@plaisthos> like tap-lanhome 08:32 <+DelphiWorld> plaisthos: dude, you're my eyes! 08:32 <+DelphiWorld> fucking space touk my day out ! 08:32 <@plaisthos> yeah 08:33 <@plaisthos> it is the thing you don't see anymore no matter how often you read the stuff 08:33 <+DelphiWorld> plaisthos, stupid text to speech dont read space... 08:34 <+DelphiWorld> its not stupid but its my lazyness 08:34 <+DelphiWorld> if i readed the line character by character i should have goten it:P 08:36 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 08:39 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 08:39 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 08:40 * DelphiWorld is happy dansing 08:40 <+DelphiWorld> hiya: i'll share 08:47 < hiya> DelphiWorld, did it finally work? 08:47 < hiya> but first show me your setup? 08:47 < hiya> What did you do? 08:47 <+DelphiWorld> yes work 08:48 < hiya> Cool, congrats 08:48 <+DelphiWorld> several pc in the same lan bridged through ovpn 08:48 <+DelphiWorld> i'll post you both my iface file & my openvpn file, but you'll have to do the openssl cert yourself 08:49 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:51 < hiya> no no 08:51 < hiya> I want it to be simple 08:51 < hiya> you connect to VPN 08:51 < hiya> and end up in LAN 08:51 < hiya> with other VPn users 08:51 <+DelphiWorld> yes, that what i do 08:51 <@plaisthos> hiya: define "in LAN" 08:52 <@plaisthos> hiya: 08:52 <@plaisthos> !goal 08:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:52 < hiya> plaisthos, we can share stuff with each other and ping 08:52 <@plaisthos> hiya: just setup a standard openvpn server with tun 08:53 < hiya> client-to-client 08:53 < hiya> ? 08:53 <@plaisthos> and add client-to-client to the config 08:53 < hiya> I know 08:53 < hiya> but 08:53 < hiya> in most of the tutorials 08:53 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 08:53 < hiya> I see push "route .............. " 08:53 -!- toli [~toli@ip-83-134-71-71.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 08:53 < hiya> why that additional thing? 08:54 <+DelphiWorld> push route is something else 08:54 < hiya> why do they have it? 08:54 < hiya> Mastering OpenVPN 2015 book has it 08:54 <@plaisthos> it pushes an additional route to your client 08:54 < hiya> why does it do? 08:54 <@plaisthos> hiya: you understand what routes are? 08:54 < hiya> no heh 08:54 < hiya> :) 08:54 <@plaisthos> you should really some basic network tutorial 08:54 <@plaisthos> +read 08:55 <@plaisthos> !net101 08:55 < hiya> DelphiWorld, PM me your configuration, maybe I get to learn something 08:55 <@vpnHelper> "net101" is http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example 08:55 <@plaisthos> hiya: his config is far to complicated for your usecase 08:55 < hiya> Ok 08:55 < hiya> leave it DelphiWorld 08:55 < hiya> :) 08:55 <@plaisthos> for your usecase you also don't need push route 08:55 < hiya> plaisthos, but my question is do we need server 192.168.99.0 08:55 < hiya> or server 10.0.8.0 08:55 < hiya> in my case? 08:56 < hiya> because 08:56 <+DelphiWorld> hiya: http://paste.debian.net/368158/ 08:56 < hiya> ethernet-style must allot ethernet-style IP? 08:56 <+DelphiWorld> hiya: http://paste.debian.net/368159/ 08:56 < hiya> plaisthos, with client to client, if one guy shares something, can other VPN guy, see it? 08:56 <+DelphiWorld> hiya: check br0 08:56 < hiya> or discover it? 08:57 < hiya> or access it? 08:57 < hiya> like in LAN? 08:57 <+DelphiWorld> hiya: see my config. 08:57 < hiya> ok reading 08:57 < hiya> :) 08:57 <@plaisthos> hiya: depends on the software you use 08:57 <@plaisthos> but it should work similar 08:57 <@plaisthos> and I do not what a ethernet-style IP should be 08:57 < hiya> 192.168.xx 08:57 <@plaisthos> and the argument to server is the IP address/range of your VPN 08:57 < hiya> ? 08:58 <+DelphiWorld> plaisthos: yep that what's confusing me...l ol, maybe he mean private RFC 1918 ip 08:58 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:59 < hiya> DelphiWorld, usually lan ip is like 192.168.xx 08:59 < hiya> I am just asking 09:00 <+DelphiWorld> hiya: the lan ip is ip... out of range 09:00 <+DelphiWorld> but if you mean private ip, it's from the 10.0.0.0/8 range, or 172.168.0.0/16, or 172.16.0.0/12. 09:01 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:01 < hiya> DelphiWorld, how can ethernet-style VPN work? For example can I share a folder which is only accessible using VPN? 09:02 < hiya> So that it is broadcasted only when I m on VPN and other VPN users can see it? 09:02 < hiya> !client-to-client 09:02 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 09:02 <@vpnHelper> clients 09:04 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has joined #openvpn 09:04 < hiya> plaisthos, So if I shared a folder, can you access it from same server using my IP alloted by server? 09:05 < hiya> would smb://10.0.8.5 reach you? 09:05 < hiya> your computer's SMB? 09:05 < hiya> DelphiWorld, ^ 09:06 < hiya> Kindly help 09:06 < hiya> :( 09:06 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 09:06 <@plaisthos> hiya: it is hard to help you because you seem to be lacking the basic network knowledge 09:07 < hiya> yep 09:07 < hiya> I agree 09:07 <+DelphiWorld> hiya: use tap style vpn. 09:07 <+DelphiWorld> hiya: try my config and report 09:07 < hiya> your configuration is not good for me 09:07 < hiya> you are bridging 09:07 < hiya> I do not need it? 09:07 <+DelphiWorld> hiya: you're asking for lan style, no? 09:08 < hiya> Yes 09:08 <+DelphiWorld> if you dont want bridge 09:08 <+DelphiWorld> then you can't do discovery 09:08 < hiya> but 09:08 <@plaisthos> actually with topology subnet discovery should work with tun 09:08 < hiya> with bridging only your LAN ----- VPN's LAN 09:08 <+DelphiWorld> plaisthos: you should explain this to me. 09:09 <+DelphiWorld> hiya: with bridging only your LAN ----- VPN's LAN 09:09 <+DelphiWorld> ... i'm lost... 09:09 < hiya> I am talking about situation where people from 10 different nation connect to a VPN 09:09 < hiya> and can talk and exchange traffic 09:09 <@plaisthos> DelphiWorld: with topology subnet the tap devices on all clients look like they belong to a common subnet 09:09 <+DelphiWorld> ah. 09:10 <+DelphiWorld> plaisthos: kindly explain what you mean by topology subnet 09:10 <@plaisthos> !topology 09:10 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 09:10 <@plaisthos> DelphiWorld: it is a config option 09:10 -!- ^cj^ is now known as ^CJ^ 09:10 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 240 seconds] 09:10 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: No route to host] 09:11 < hiya> plaisthos, Discovery should work? but how? I don't get it, I mean what would we discover? if we do "smb://10.0.8.5" we discover that client's SMB? 09:12 <@plaisthos> hiya: using the IP addresses of the other client should always work 09:12 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:12 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 09:13 < hiya> plaisthos, Would it work like I tried to explain? 09:13 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:13 <@plaisthos> hiya: I give up 09:13 < hiya> I do not get it sorry :( 09:14 <@plaisthos> hiya: Really, please read a tutorial about networking 09:14 < hiya> k 09:17 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 245 seconds] 09:19 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:20 < hiya> !filtering 09:22 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:27 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:32 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Client Quit] 09:32 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 09:32 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:49 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 09:53 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has joined #openvpn 10:01 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 240 seconds] 10:08 -!- moriko [~moriko@178.162.222.41] has joined #openvpn 10:15 -!- enki [~enki@dynamic-78-30-156-27.adsl.eunet.rs] has joined #openvpn 10:16 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 10:16 < bMalum> Can I have 2 IP Adresses on one TUN_Interface? Like an Alias for Jails? 10:26 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 264 seconds] 10:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 10:45 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 276 seconds] 10:46 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn 10:47 -!- thumbs [~frank@unaffiliated/thumbs] has quit [Killed (holmes.freenode.net (Nickname regained by services))] 10:47 -!- frank-- is now known as thumbs 10:49 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 253 seconds] 10:53 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:55 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 11:03 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Quit: WeeChat 1.1.1] 11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 11:11 -!- AlmogBaku [~AlmogBaku@37.26.149.174] has joined #openvpn 11:13 -!- AlmogBaku [~AlmogBaku@37.26.149.174] has quit [Client Quit] 11:20 < cirdan> so is there any way to make a client on the LAN appear as a client on the VPN side? without the lan client running vpn software 11:33 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 11:36 -!- plr777 [~yourname@1.39.62.112] has joined #openvpn 11:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.4-dev] 11:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 12:04 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 12:13 -!- ^CJ^ is now known as ^cj^ 12:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:27 -!- plr777 [~yourname@1.39.62.112] has quit [Ping timeout: 256 seconds] 12:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:39 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 12:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:41 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Client Quit] 12:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:49 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 12:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:56 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 13:02 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has joined #openvpn 13:06 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 13:11 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 13:29 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 13:34 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 13:34 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 13:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 13:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 13:41 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:43 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:50 -!- K1rk [~Kirk@158.69.167.167] has joined #openvpn 14:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 14:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:14 -!- JoshX [~joshx@townsville.nl] has quit [Quit: Changing server] 14:14 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 14:15 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 14:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 14:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:20 -!- dazo is now known as dazo_afk 14:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 14:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 14:34 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 14:38 -!- AlmogBaku [~AlmogBaku@52.29.117.25] has joined #openvpn 14:40 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 14:58 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 15:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:20 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.] 15:20 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 15:44 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 15:44 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 16:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 16:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 16:34 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 16:35 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 16:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:05 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:10 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 17:11 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 17:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 17:14 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has joined #openvpn 17:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 17:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 17:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 276 seconds] 17:45 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 17:46 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 17:46 -!- AlmogBaku [~AlmogBaku@52.29.117.25] has quit [Ping timeout: 272 seconds] 17:49 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has joined #openvpn 17:49 < Dougy> hello 18:07 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:18 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 18:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 18:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 18:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:16 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 19:17 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 19:21 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:29 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 19:30 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 19:36 -!- dasmkjhdksa [~dd62@43.225.199.66] has quit [Remote host closed the connection] 20:03 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:28 -!- Hadi [~Instantbi@31.59.54.195] has quit [Remote host closed the connection] 20:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 21:02 -!- kaiza [~kaiza@172.98.67.7] has joined #openvpn 21:12 -!- tobinski_ [~tobinski@x2f5894f.dyn.telefonica.de] has joined #openvpn 21:16 -!- tobinski___ [~tobinski@x2f5b526.dyn.telefonica.de] has quit [Ping timeout: 240 seconds] 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 250 seconds] 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:56 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has quit [Ping timeout: 250 seconds] 22:05 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has joined #openvpn 22:06 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 22:13 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: allizom] 23:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 23:32 -!- ShadniX [dagger@p5DDFE78F.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:33 -!- ShadniX [dagger@p5DDFD214.dip0.t-ipconnect.de] has joined #openvpn 23:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn --- Day changed Tue Jan 26 2016 00:12 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 00:15 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 240 seconds] 00:16 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 00:23 -!- riddle [riddle@us.yunix.net] has joined #openvpn 00:25 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Remote host closed the connection] 00:26 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 00:40 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 245 seconds] 00:48 -!- riddle [riddle@us.yunix.net] has joined #openvpn 00:53 < daniel_j> i don't know who to blame frootvpn or openvpn, lol, a few select websites work and speedtests can't connect to upload, but they can download, and icing on the cake, ssh doesn't work. 00:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 245 seconds] 01:00 -!- Lonie [~Lonie@109.73.19.2] has joined #openvpn 01:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:24 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-gvzpquqmqffvehda] has joined #openvpn 01:45 -!- Lonie [~Lonie@109.73.19.2] has quit [] 02:01 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:02 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 02:29 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-gvzpquqmqffvehda] has quit [Excess Flood] 02:44 -!- dazo_afk is now known as dazo 02:48 -!- ^cj^ is now known as ^CJ^ 03:21 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:40 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 04:37 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 04:38 < Haxxa> Hi Guys open vpn fails to start unless I manually start it - this just started to happen and it normally starts by a .conf file in /etc/openvpn 04:38 < Haxxa> ANy ideas would be great 04:38 -!- eSgr [~eSgr@priv.is-infra.net] has quit [Ping timeout: 248 seconds] 04:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:43 -!- eSgr [~eSgr@priv.is-infra.net] has joined #openvpn 04:44 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 04:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:05 -!- IamError [~tom@unaffiliated/iamerror] has quit [Ping timeout: 265 seconds] 05:20 < Haxxa> Hello? 05:20 < Haxxa> anyone? 05:20 < Haxxa> really stuck here :/ 05:23 -!- moriko [~moriko@178.162.222.41] has quit [Ping timeout: 272 seconds] 05:24 <@plaisthos> Haxxa: check your logfile 05:25 <@plaisthos> !log 05:25 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 05:25 <@plaisthos> !log-file 05:25 <@plaisthos> !logfile 05:25 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 05:25 <@dazo> !logs 05:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 05:28 < Haxxa> plaisthos, thanks where would this logfile be on a debian based system? Do I need to enable logging or is it located someone as I am not running the command it should autostart? 05:28 <@plaisthos> /var/log/syslog 05:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:32 < Haxxa> plaisthos, I just reinstalled openvpn and now it works? 05:33 < Haxxa> I just went openvpn purge remove and updated packages 05:33 < Haxxa> and now upon reinstall it works 05:34 < Haxxa> plaisthos, thanks anyway I'll see what happens 05:41 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: Leaving] 05:48 -!- Denial- [~Denial@81.141.23.61] has quit [] 05:49 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 05:51 -!- Denial [~Denial@81.141.23.61] has joined #openvpn 05:59 < marcoslater> W/ IPv6 configuration, does OpenVPN just pick first free address out of a /# to give to clients, or does each client get its own assigned and thats it? I've got my laptop and my phone on it, my laptop always gets 1000 and my phone always 1001, even after restarts etc, I'm confused as to how assignments work. 06:00 < marcoslater> Hmm, looked at v4 logs, and v4's always appear to be the same too.. How does this all work? 06:02 <@plaisthos> !ipp 06:02 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 06:03 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 06:03 <@plaisthos> and yes the default policy is lineary give out addresses 06:03 < marcoslater> Ah. 06:04 < marcoslater> That explains it, I just checked that txt file, makes sense. 06:04 < marcoslater> Thank you plaisthos :) 06:04 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:04 < marcoslater> !static 06:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 06:08 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 06:08 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:15 < PhSnake> Hi friends, doon't you know whether is possible to send Wake-on-lan packet over vpn? 06:16 -!- jesopo is now known as the_game 06:16 -!- the_game is now known as jesopo 06:17 <@plaisthos> sure 06:18 <@plaisthos> (you obviously cannot wake up the VPN client itself) 06:25 <@dazo> PhSnake: how would that work out in practice? 06:26 <@plaisthos> dazo: routed directed broadcast could work 06:26 <@dazo> plaisthos: depends on whom you want to awake, though 06:27 <@plaisthos> iroute to your homenetwork and then just send a wakeup to 192.168.177.255 06:27 <@dazo> plaisthos: but ... don't you need Ethernet frames to transport the WoL payload? 06:28 <@plaisthos> dazo: no 06:29 <@plaisthos> wol is a udp broadcast packet to port 9 with magic bytes as payload 06:29 <@plaisthos> I actually set up this wakeup 06:30 <@plaisthos> but with "normal" cisco switches/router between the networks instead of a VPN connection 06:30 <@plaisthos> you need to explicitly allowed the directed broadcasts in a ACL 06:30 <@dazo> "The magic packet is sent on the data link layer (layer 2 in the OSI model) and when sent, is broadcast to all attached devices on a given network, using the network broadcast address; the IP-address (layer 3 in the OSI model) is not used." 06:30 <@dazo> https://en.wikipedia.org/wiki/Wake-on-LAN 06:30 <@vpnHelper> Title: Wake-on-LAN - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:30 <@plaisthos> linux might also need a sysctl 06:31 < marcoslater> btw, for IPv6, how does one push an IPv6 DNS server? I've got push "dhcp-option DNS 2001:4860:4860::8888", not sure if that will work. 06:31 <@plaisthos> dazo: from the same page ;) 06:31 <@plaisthos> Since the magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it may be sent as any network- and transport-layer protocol, although it is typically sent as a UDP datagram to port 0,[6] 7 or 9, or directly over Ethernet as EtherType 0x0842.[7] 06:32 * dazo need to run for lunch 06:32 <@plaisthos> marcoslater: I am not sure pushing v6 dns is support 06:32 <@plaisthos> ed 06:32 <@plaisthos> but that might work for some client and not for others 06:33 < marcoslater> Ah, fair enough. 06:33 < marcoslater> I'll look out for v6 changelogs in next releases then 06:34 <@plaisthos> marcoslater: nothing changed in that area 06:34 -!- rich0 is now known as rich0_ 06:34 -!- rich0_ is now known as rich0 06:34 -!- rich0 is now known as rich0__ 06:34 -!- rich0__ is now known as rich0 06:36 <@plaisthos> hm 06:36 <@plaisthos> the parsing code for windows does not like non IPv4 addresses 06:36 < PhSnake> i want to open vpn conn from my android(i hv app that can send wol packets - works fine when im connected over locol IP), not working when I'm connected thru Mobile Operator & OpenVPN (running open OpenWRT) 06:37 < marcoslater> I've just got OS X and iOS connecting 06:37 < PhSnake> running on OpenWRT 06:37 <@plaisthos> PhSnake: yeah, you need to directed broadcasts 06:37 <@plaisthos> that probably needs more work 06:37 <@plaisthos> and the app needs to understand it 06:37 <@plaisthos> etc. 06:38 <@plaisthos> definitively possible but advanced networking stuff 06:38 <@plaisthos> and debugging session with wireshark/tcpdump needed :) 06:39 < PhSnake> THX 06:39 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 06:39 < PhSnake> i'm giving up, anyway I can connect to router via Luci Openwrt web-interface & i can wake it up from there 06:39 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 07:14 -!- dasmkjhdksa [~dd62@2a03:f80:852:151:236:20:117:1] has joined #openvpn 07:29 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 07:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:46 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has left #openvpn [] 08:03 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:04 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:07 -!- IamError [~tom@unaffiliated/iamerror] has joined #openvpn 08:08 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 08:09 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:11 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:16 -!- TribalT [~tribalt@host109-153-159-49.range109-153.btcentralplus.com] has joined #openvpn 08:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:18 -!- TribalT [~tribalt@host109-153-159-49.range109-153.btcentralplus.com] has quit [Remote host closed the connection] 08:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 08:26 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:27 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:27 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:33 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 08:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 08:50 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 08:51 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 08:53 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: yo] 08:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:06 <@dazo> plaisthos: ahh, I see the magic packet magic now :) 09:08 <@dazo> I got confused and misunderstood the "the IP-address (layer 3 in the OSI model) is not used" part. 09:08 <@plaisthos> dazo: :) 09:10 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 09:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 09:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 09:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood] 09:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:34 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 09:41 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 09:42 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 09:48 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:55 < jnewt> so i got vpn set up to my work, but it's really slow. I have 18/3Mbps at home and 16/3Mbps at work. Speedtest is getting about 1.5/1Mbps with a 120mS ping. File transfers are at about 100KB/s over vpn. 09:56 < jnewt> Am I at the limit of my internet connection & the software, or do I keep searching for ways to improve speed? 09:57 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 10:09 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 10:15 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 10:15 -!- mode/#openvpn [+o krzee] by ChanServ 10:16 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 260 seconds] 10:16 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 10:20 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 10:22 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 10:29 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 10:30 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 10:31 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 10:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 10:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit] 10:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:36 < Bogdar> jnewt, do you use UDP or TCP connection to server? 10:37 < jnewt> UDP 10:38 < Bogdar> jnewt, if you use TCP connection for VPN tunnel (i.e. "proto tcp" in server config) - so performance would be bad in most cases. Tunel over UDP dramatically improves speed. 10:38 < jnewt> i use UDP 10:40 < jnewt> i've just removed comp-lzo and set sndbuf 0 and rcvbuf 0, and it changed my performance by lowering the ping from 120 to 95 and my speed changed from 1.5/1.0 to 1.2/1.2. i wonder if it has something to do with encryption, i havent' messed with that. 10:42 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 10:45 -!- allizom [~Thunderbi@87.18.169.6] has quit [Quit: allizom] 10:45 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 10:47 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 264 seconds] 10:49 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 10:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:55 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 10:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:57 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 11:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Reserve your copy of BitchX-1.2.1 for the Sony Playstation 2 today!] 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:16 -!- DArqueBishop [~drkbish@173.11.253.122] has quit [Quit: End of line.] 11:18 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has joined #openvpn 11:23 -!- dasmkjhdksa [~dd62@2a03:f80:852:151:236:20:117:1] has quit [Ping timeout: 240 seconds] 11:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:24 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has quit [Ping timeout: 260 seconds] 11:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 11:25 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 11:26 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:28 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 11:28 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 11:30 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:31 -!- typ [~quassel@unaffiliated/typ] has joined #openvpn 11:33 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 260 seconds] 11:33 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 260 seconds] 11:33 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has quit [Ping timeout: 260 seconds] 11:37 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 11:37 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has joined #openvpn 11:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 11:37 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 11:38 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 11:40 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 11:43 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 11:43 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:45 -!- e01 [~e01@unaffiliated/e01] has joined #openvpn 11:45 < e01> is it possible to setup openvpn to use system users, i mean users added in the ubuntu be credentionals for the openvpn 11:46 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 256 seconds] 11:46 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 11:55 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Abort Retry Fail] 12:05 < Eugene> e01 - yes, openvpn can auth against anything you want with --auth-user-pass-verify 12:06 < Eugene> I don't know if Ubuntu includes the plugin you need to use system users(PAM) by default 12:07 < e01> Eugene: then is it possible just to run the openvpn because it even dont do anything 12:07 < Eugene> We don't seem to have a factoid for it; this looks like an OK blag on it http://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html 12:07 <@vpnHelper> Title: Setup PAM authentication with OpenVPN's auth-pam module - Linux Sysadmin Tutorials (at www.linuxsysadmintutorials.com) 12:07 < e01> just run and nothing 12:10 -!- ^CJ^ is now known as ^cj^ 12:16 -!- AlmogBaku [~AlmogBaku@185.28.153.1] has joined #openvpn 12:20 -!- hid3 [~arnoldas@78.157.71.116] has quit [Read error: Connection reset by peer] 12:20 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 12:20 -!- bf_ [~bf_@xdsl-78-35-249-129.netcologne.de] has joined #openvpn 12:30 -!- dazo is now known as dazo_afk 12:30 -!- AlmogBaku [~AlmogBaku@185.28.153.1] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:31 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 12:33 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 12:33 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 12:51 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:52 -!- bf_ [~bf_@xdsl-78-35-249-129.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 13:05 -!- e01 [~e01@unaffiliated/e01] has quit [Quit: Be back later ...] 13:09 -!- speeddra_ [~speeddrag@193.137.28.200] has joined #openvpn 13:11 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 13:21 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 13:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 13:29 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:36 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:38 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 13:40 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:40 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 13:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 13:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:02 <@ecrist> PAM is also covered in the book 14:02 <@ecrist> !book 14:02 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 14:50 -!- AlmogBaku [~AlmogBaku@37.26.149.236] has joined #openvpn 15:05 -!- AlmogBaku [~AlmogBaku@37.26.149.236] has quit [Ping timeout: 272 seconds] 15:15 -!- weox [uid112413@gateway/web/irccloud.com/x-kgivveyjphgxfspx] has quit [Quit: Connection closed for inactivity] 15:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 15:26 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.4] 15:28 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 256 seconds] 15:37 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 15:40 -!- ghoti [~paul@hq.experiencepoint.com] has quit [Quit: Changing server] 15:42 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 16:10 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn 16:19 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:23 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:41 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:53 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 17:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 17:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 17:28 -!- weox [uid112413@gateway/web/irccloud.com/x-jeqjpgjcxngtevik] has joined #openvpn 17:29 -!- jwhitmore [~jwhitmore@109.79.174.196] has joined #openvpn 17:34 < jwhitmore> The Android OpenVPN Connect App is, or seems to be, by a private company. Is there an open App? 17:36 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 17:49 -!- sharro_ [2e2aaf88@gateway/web/freenode/ip.46.42.175.136] has joined #openvpn 17:49 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 17:49 -!- jwhitmore [~jwhitmore@109.79.174.196] has quit [Ping timeout: 272 seconds] 17:50 < sharro_> Hello all! May I ask some help with setting up openVPN? 17:50 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:53 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:55 < sharro_> (Sorry for my bad English) I want to "merge" two networks, one is 192.168.0.0 (server's network, server's IP 192.168.0.66) and second on client's side, 192.168.0.0 too. There are no IP conflicts in the networks (1-100 in first and 101-200 in second network), but when I connect to the server, I can only see 192.168.0.66 (server). 17:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:12 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 265 seconds] 18:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:18 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 250 seconds] 18:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 240 seconds] 18:24 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn 18:27 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 18:28 -!- sharro_ [2e2aaf88@gateway/web/freenode/ip.46.42.175.136] has quit [Ping timeout: 252 seconds] 18:31 -!- hays [~quassel@unaffiliated/hays] has quit [Ping timeout: 244 seconds] 18:42 -!- hays [~quassel@unaffiliated/hays] has joined #openvpn 18:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 18:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:49 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 18:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 18:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 19:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 19:22 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 19:28 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 19:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 19:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:05 -!- weox [uid112413@gateway/web/irccloud.com/x-jeqjpgjcxngtevik] has quit [Quit: Connection closed for inactivity] 20:06 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 250 seconds] 20:16 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 20:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:30 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 20:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:53 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 20:59 -!- toli [~toli@ip-83-134-71-64.dsl.scarlet.be] has joined #openvpn 21:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 21:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:11 -!- tobinski___ [~tobinski@x2f5498e.dyn.telefonica.de] has joined #openvpn 21:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:14 -!- tobinski_ [~tobinski@x2f5894f.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 21:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:37 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 256 seconds] 21:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:41 -!- Mazhive [~peter@telbo-200-6-151-93.cust.telbo.net] has quit [Ping timeout: 260 seconds] 21:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 21:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 22:16 -!- suttin [~ubuntu@ec2-52-89-203-215.us-west-2.compute.amazonaws.com] has joined #openvpn 22:19 < suttin> oh sweet, this is a thing. http://pastebin.com/1fZQccDA is my current config. I'm getting OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options and OpenVPN ROUTE: failed to parse/resolve route for host/network 22:20 < suttin> if it matters, the openvpn server is on a pfsense box 22:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:42 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 23:31 -!- ShadniX [dagger@p5DDFD214.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:32 -!- ShadniX [dagger@p5DDFDA12.dip0.t-ipconnect.de] has joined #openvpn 23:37 -!- weox [uid112413@gateway/web/irccloud.com/x-ohpztryqjmhkfbfz] has joined #openvpn --- Day changed Wed Jan 27 2016 00:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:10 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 00:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds] 00:57 -!- emk [~emk@unaffiliated/emk] has joined #openvpn 00:58 < emk> hi all, I've setup openvpn on a windows7 machine, it has 24hour internet but the service is something like a DSL link so it's firewalled by the ISP. How do I get things to be accesible to the outside world? 01:19 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 260 seconds] 01:21 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 01:23 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 01:24 -!- weox [uid112413@gateway/web/irccloud.com/x-ohpztryqjmhkfbfz] has quit [Ping timeout: 240 seconds] 01:24 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 240 seconds] 01:24 -!- speeddra_ [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 01:24 -!- weox [uid112413@gateway/web/irccloud.com/x-cbgkgfycveehqijp] has joined #openvpn 01:26 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 01:36 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has joined #openvpn 01:48 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has quit [Max SendQ exceeded] 01:49 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has joined #openvpn 01:58 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 02:07 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:12 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 250 seconds] 02:25 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 02:39 -!- AlmogBaku [~AlmogBaku@37.26.149.250] has joined #openvpn 02:45 -!- AlmogBaku [~AlmogBaku@37.26.149.250] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:07 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:24 -!- dazo_afk is now known as dazo 03:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:49 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 03:49 -!- le0 [~le0@unaffiliated/le0] has quit [Remote host closed the connection] 03:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:00 -!- adac [~adac@c703-fwngw.uibk.ac.at] has joined #openvpn 04:00 < adac> Hi! Has openvpn also cluster capabilities? 04:03 < adac> hmm I just found out that with "remote" one can set more then one openvpn server 04:04 < adac> so the problem seems to be solved :) 04:04 < adac> awesome! 04:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:13 -!- helllen [~helllen@cli-5b7e4bec.wholesale.adamo.es] has joined #openvpn 04:13 < helllen> I have a centos image running openvpn-as-2.0.24-CentOS6.4.x86_64 04:13 < helllen> I would like to autoconfigure with user 04:13 < helllen> I do run /usr/bin/ovpn-init --ec2 04:13 < helllen> but still get options to configure 04:13 < helllen> what could I do ? 04:16 < helllen> solved 04:16 < helllen> /usr/bin/ovpn-init --ec2 --batch 04:16 < helllen> thanks! 04:25 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:28 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:28 < helllen> other problem I have is how could I change ssh port ? 04:31 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:41 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 240 seconds] 04:45 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-fcueyeiungacjzdw] has joined #openvpn 04:45 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:45 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:51 -!- helllen [~helllen@cli-5b7e4bec.wholesale.adamo.es] has left #openvpn [] 04:54 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 05:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 05:24 -!- xMopxShell [~xMopxShel@192.95.23.134] has quit [Ping timeout: 244 seconds] 05:24 -!- someone [~someone@somewhe.re] has quit [Ping timeout: 244 seconds] 05:25 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 05:25 -!- K1rk [~Kirk@158.69.167.167] has quit [Ping timeout: 244 seconds] 05:25 -!- PeterReid [~quassel@faraday.reidweb.com] has quit [Ping timeout: 244 seconds] 05:31 -!- xMopxShell [~xMopxShel@192.95.23.134] has joined #openvpn 05:32 -!- K1rk [~Kirk@158.69.167.167] has joined #openvpn 05:49 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:49 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 05:50 -!- asper [~argali@volans.uberspace.de] has joined #openvpn 05:50 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 05:51 < asper> hi there is it possible to create a tun vpn with ipv6 only inside the tunnel? using only server-ipv6 directive results in an error "Options error: --server-ipv6 must be used together with --server" 06:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:41 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:42 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Max SendQ exceeded] 06:43 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:51 <@dazo> asper: not currently ... you need IPv4 addresses too, as the IPv6 implementation uses some of the IPv4 internals ... however, you don't need to route the IPv4 addresses. 06:53 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn 07:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 07:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:26 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 07:29 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 07:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds] 07:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 08:14 -!- ^cj^ is now known as ^CJ^ 08:16 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 08:27 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:38 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 08:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 08:58 -!- someone [~someone@somewhe.re] has joined #openvpn 09:04 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 09:08 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 09:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 09:20 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 09:33 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: damn work] 09:37 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:38 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:39 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:41 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:42 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:43 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:44 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:46 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:46 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 09:51 -!- allizom [~Thunderbi@87.18.169.6] has quit [Client Quit] 09:57 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-fcueyeiungacjzdw] has quit [Quit: Connection closed for inactivity] 10:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:09 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Quit: Goodbye!] 10:09 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 240 seconds] 10:10 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:11 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:12 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn 10:12 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:14 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:15 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:16 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Client Quit] 10:16 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:17 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:19 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:20 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:21 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:22 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:23 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:25 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 240 seconds] 10:26 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:27 -!- iokill_ [~dave@pippin.sigma-star.at] has joined #openvpn 10:27 -!- iokill [~dave@pippin.sigma-star.at] has quit [Remote host closed the connection] 10:29 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 10:29 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:31 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:32 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:33 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:34 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:34 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Client Quit] 10:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:54 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:00 -!- adac [~adac@c703-fwngw.uibk.ac.at] has quit [Ping timeout: 264 seconds] 11:00 < hiya> What all can OpenVPN management do? 11:02 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:05 < hiya> Should --float be used both and client and server? 11:10 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:19 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:21 -!- linuxdevman [~chatzilla@208.167.254.103] has joined #openvpn 11:34 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 240 seconds] 11:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 11:55 -!- ^CJ^ is now known as ^cj^ 11:55 -!- ^cj^ is now known as ^CJ^ 12:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Gary Coleman uses BitchX. Whatchoo talkin bout foo?] 12:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:29 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:33 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 12:38 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 12:45 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:52 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:03 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 13:15 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 13:35 -!- ^CJ^ is now known as ^cj^ 14:23 -!- daniel_j [~daniel@relaxing.in.the.stars.because-of.science] has left #openvpn [] 14:26 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has joined #openvpn 14:26 < dougquaid> Is it possible to add iroutes to the openvpn server on the fly (ie without having to disconnect and reconnect a client)? 14:34 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:34 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Read error: Connection reset by peer] 14:41 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:59 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 260 seconds] 15:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 264 seconds] 15:31 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 15:45 < Neighbour> dougquaid: afaik no, since they are put in the ccd's which are read when a client connects 15:58 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 15:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:58 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 16:02 -!- saik0 [~saik0@unaffiliated/saik0] has quit [Quit: WeeChat 0.4.2] 16:09 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 16:11 -!- LilDog [~LilDog@128.177.161.165] has joined #openvpn 16:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds] 16:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 16:29 -!- linuxdevman [~chatzilla@208.167.254.103] has quit [Quit: oui] 16:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:57 -!- Cihan [uid141333@gateway/web/irccloud.com/x-ekgtfjpurtdwhmjl] has quit [Quit: Connection closed for inactivity] 16:57 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-djqgnmhphbxevgfg] has quit [Quit: Connection closed for inactivity] 16:58 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- LilDog [~LilDog@128.177.161.165] has quit [Ping timeout: 250 seconds] 17:23 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 240 seconds] 17:45 -!- Amplificator [~quassel@unaffiliated/amplificator] has joined #openvpn 17:52 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Ping timeout: 264 seconds] 17:54 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 18:06 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 18:59 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:08 -!- dazo is now known as dazo_afk 20:01 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 240 seconds] 20:04 -!- devtea [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn 20:25 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 20:29 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.] 20:31 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 20:38 -!- reconmaster [~user@dirac.bsd.uchicago.edu] has joined #openvpn 20:57 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 276 seconds] 21:00 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 21:07 -!- allizom [~Thunderbi@87.18.169.6] has quit [Quit: allizom] 21:10 -!- tobinski_ [~tobinski@x2f56c0e.dyn.telefonica.de] has joined #openvpn 21:14 -!- tobinski___ [~tobinski@x2f5498e.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds] 21:30 -!- Cihan [uid141333@gateway/web/irccloud.com/x-uyrwtyoxzuovruvs] has joined #openvpn 21:30 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-qkjmyjewkcenxqzr] has joined #openvpn 21:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 21:36 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 276 seconds] 21:38 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:59 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 22:22 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:09 -!- Cihan [uid141333@gateway/web/irccloud.com/x-uyrwtyoxzuovruvs] has quit [] 23:10 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-qkjmyjewkcenxqzr] has quit [] 23:14 -!- CihanKaygusuz [uid142877@gateway/web/irccloud.com/x-ywgtsximbbvnzkkv] has joined #openvpn 23:14 -!- Cihan [uid142878@gateway/web/irccloud.com/x-vjtollvdfnlieafe] has joined #openvpn 23:32 -!- ShadniX [dagger@p5DDFDA12.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:32 -!- furkan [~furkan@CPEc43dc747aba9-CM78cd8eccfad5.cpe.net.cable.rogers.com] has joined #openvpn 23:33 -!- ShadniX [dagger@p5DDFF064.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Thu Jan 28 2016 00:04 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has joined #openvpn 00:06 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has quit [Ping timeout: 250 seconds] 00:06 < furkan> hi, does anybody have any guesses on why I'm getting ~2.5Mbps throughput in one direction, but only ~250kbps throughput in the other direction? this is a site-to-site VPN and both sides have 3Mbps upstream bandwidth 00:07 < furkan> i initially had the MTU set to default but i brought it down to 1080 now 00:08 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has left #openvpn ["Leaving..."] 00:08 < furkan> also, CPU usage is virtually 0 00:10 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 00:24 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 00:32 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Read error: Connection reset by peer] 00:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 00:53 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 00:54 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 01:05 < Bogdar> furkan, do you use 'tcp' for openvpn tunnel ? 01:14 < furkan> Bogdar: no, UDP 01:22 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: yo] 02:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:04 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 02:22 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 240 seconds] 02:22 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 240 seconds] 02:24 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 02:25 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 02:35 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 245 seconds] 02:46 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 03:00 -!- ^cj^ is now known as ^CJ^ 03:18 -!- radonx [~His_Roy@server1.dutchunited.eu] has joined #openvpn 04:26 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:27 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 04:31 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 240 seconds] 04:35 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 04:39 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 250 seconds] 04:40 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 04:58 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds] 05:08 -!- MayurYa [~mayura@unaffiliated/mayurya] has joined #openvpn 05:12 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 240 seconds] 05:15 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 05:32 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 240 seconds] 05:34 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 05:41 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 05:50 -!- radonx is now known as zz_radonx 06:06 -!- elfranne [~tom@unaffiliated/elfranne] has joined #openvpn 06:08 < elfranne> when I use the log option in the server.conf, openvpn fails to starts : Options error: port number associated with --management directive is out of range 06:09 < hiya> elfranne, show your server.conf, why do you use management? 06:09 < hiya> you do not need management for logging 06:10 -!- MayurYa [~mayura@unaffiliated/mayurya] has quit [Ping timeout: 240 seconds] 06:11 < elfranne> i don t use management, i only uncommented the log openvpn.log line and i get this error 06:11 < elfranne> let met paste on the conf on a pastebin 06:11 < hiya> elfranne, you use it, otherwise it would not say so, it is just not possible 06:11 < hiya> yes pastebin it 06:13 < elfranne> http://pastebin.com/PtjYnjHA 06:13 < elfranne> it s nearly the default config 06:14 < hiya> ok 06:14 < hiya> let me check 06:15 < elfranne> i change user/ group nobody , dhcp dns options, redirect gateway , and the dh to 2048 06:16 < elfranne> and the log obviously 06:16 < hiya> push "redirect-gateway def1" # bypass-dhcp" 06:16 < hiya> change it to 06:16 < hiya> push "redirect-gateway def1 bypass-dhcp" 06:16 < hiya> and restart your server 06:16 < hiya> which OS? 06:16 < elfranne> debian 8 06:17 < hiya> Did you upgrade to openVPN repo? 06:17 < hiya> Upgrade to 2.3.10 06:17 < elfranne> let me check that 06:17 < hiya> Also clean your configuration 06:17 < hiya> keep it clean 06:18 < elfranne> i am using OpenVPN 2.3.4 06:19 < elfranne> from debian repo 06:19 < hiya> use clean server.conf 06:19 < hiya> :) 06:19 < hiya> push "redirect-gateway def1 bypass-dhcp" 06:19 < hiya> and restart 06:20 < hiya> your OVPN serve 06:20 < hiya> if you want i can share a configuration file 06:20 < hiya> but better upgrade to OVPN 2.3.10 06:23 < elfranne> upgrading repo ... 06:25 < elfranne> you said you had a config example ? 06:27 < hiya> no I have a working configuration if you want 06:27 < hiya> :) 06:29 < elfranne> sure let me have a look on that 06:29 < hiya> look? 06:29 < hiya> I charge 5 USD for 1 look 06:29 < hiya> :) 06:29 < hiya> in Bitcoins 06:29 < hiya> I would give server.conf and client.conf both, 100% working and fine 06:30 < elfranne> really ... this is IRC 06:31 < hiya> :) 06:31 < hiya> So what? 06:47 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 245 seconds] 06:48 < elfranne> really ... this is IRC 06:48 -!- elfranne [~tom@unaffiliated/elfranne] has quit [Quit: Ex-Chat] 07:16 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 07:17 -!- Hadi1 [~Instantbi@31.59.48.114] has joined #openvpn 07:38 -!- asper [~argali@volans.uberspace.de] has quit [Ping timeout: 272 seconds] 07:42 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 272 seconds] 07:50 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 276 seconds] 07:51 -!- Hadi1 [~Instantbi@31.59.48.114] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com] 07:51 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 07:51 -!- mode/#openvpn [+v RBecker] by ChanServ 07:54 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 07:54 -!- mode/#openvpn [+v hazardous] by ChanServ 07:58 -!- zz_radonx is now known as His_Royall_Eviln 07:59 -!- His_Royall_Eviln is now known as radonx 08:00 -!- Hadi1 [~Instantbi@31.59.48.114] has joined #openvpn 08:01 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds] 08:01 -!- Hadi1 is now known as hadi 08:07 -!- ^CJ^ is now known as ^cj^ 08:16 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 08:16 -!- mode/#openvpn [+v hazardous] by ChanServ 08:23 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 264 seconds] 08:24 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 264 seconds] 08:27 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:41 -!- banco [~ban@212.164.222.212] has joined #openvpn 08:44 <@ecrist> hiya: you're retarded 08:45 < hiya> ecrist, Why? 08:46 <@ecrist> you were referred to a networking 101 site due to your lack of understanding of general network concepts a few days ago, but now you're trying to charge people to help them with their openvpn configs 08:46 < hiya> ecrist, So what? I would only make their life easy 08:46 < hiya> ecrist, my server.conf woorks flawlessly 08:46 <@ecrist> You're not what I would consider an expert 08:47 < hiya> You are an expert 08:47 < hiya> but I am cool with setting up a good VPN on a VPS 08:47 < hiya> ecrist, I run a whole channel, I help 20+ people use VPN on VPS 08:47 < hiya> and VPS was recommended by me too 08:48 < hiya> Debian 8 08:48 < hiya> openVPN 2.3.10 08:48 < hiya> TLS 1.2 08:48 < hiya> HMAC firewall 08:48 <@plaisthos> whatever a HMAC firewall is 08:48 <@ecrist> heh 08:48 < hiya> static key crap 08:48 <@plaisthos> hiya: no it is not 08:49 -!- mode/#openvpn [+q hiya!*@*] by ecrist 08:49 <@plaisthos> hm what is +q? 08:49 <@ecrist> quiet 08:49 <@plaisthos> muted in a non +m channel? 08:49 <@ecrist> yes 08:50 <@plaisthos> ah okay 08:51 <@plaisthos> hiya: I am disgusted by your attempts to charge people to help them 08:51 <@plaisthos> And at least am I not going to tolerate that behaviour 08:52 <@ecrist> ditto 08:52 <@plaisthos> hiya: and also for you: 08:52 <@plaisthos> !query 08:52 <@plaisthos> !private-msg 08:52 <@plaisthos> hm 08:52 <@plaisthos> hiya: and querying people on irc is also considered rude 08:52 <@ecrist> * when uninvited 08:52 <@plaisthos> ecrist: yeah 08:53 <@plaisthos> hiya: and --secret and --tls-auth are different things 08:53 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 08:53 <@plaisthos> and calling that "static key crap" is utterly unprofessional 08:54 <@plaisthos> hiya: stop querying me 08:54 * ecrist won't speak on professionalism 08:54 <@ecrist> my, uh, track record in here is anything but 08:55 <@ecrist> though, it's been quite some time since I drunk-irc'd 08:55 <@plaisthos> ecrist: yeah, but insulting a project in its own channel is different kind of unproffesional 08:55 <@ecrist> true 08:56 -!- radonx is now known as r[A]donx 08:58 <@ecrist> I'm surprised at how short our +b and +q lists are 08:58 <@ecrist> they used to be much longer 08:58 -!- wsky [~sexyboy@unaffiliated/sexyboy] has joined #openvpn 09:00 <@plaisthos> ecrist: I can add you to one of them if you want :p 09:00 <@ecrist> sure! 09:01 <@plaisthos> (but I am not sure if +q even works on +o users) 09:01 -!- mode/#openvpn [+q ecrist!*@*] by ecrist 09:01 <@ecrist> can you see me? 09:01 -!- mode/#openvpn [+pis] by plaisthos 09:01 <@plaisthos> yes 09:01 <@plaisthos> I can 09:01 <@plaisthos> quietly whispering ;) 09:01 <@ecrist> lol 09:01 -!- mode/#openvpn [-q ecrist!*@*] by ecrist 09:01 <@plaisthos> hm 09:01 <@plaisthos> whatever my +q plaisthos did 09:02 -!- mode/#openvpn [-pis] by ecrist 09:02 <@plaisthos> oh 09:03 < wsky> anyways 09:03 <@plaisthos> my mistake 09:03 < wsky> which option on the server side will allow me to push dns address via dhcp? 09:03 <@plaisthos> !dns 09:03 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 09:03 < wsky> or do i have to run a separate dhcp server for that? 09:03 <@plaisthos> !pushdns 09:03 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for 09:03 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 09:05 < wsky> ok thanks 09:05 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:10 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has left #openvpn [] 09:12 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 09:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 09:16 -!- Ryushin [chris@2001:5c0:1000:a::1af] has joined #openvpn 09:19 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:25 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has joined #openvpn 09:32 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds] 09:37 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 09:38 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 09:38 -!- pk12 [~pk12@104.243.24.236] has quit [Client Quit] 09:39 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:44 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 09:48 -!- r[A]donx is now known as radonx 10:01 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:23 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-kmvadnieatlmwqpx] has joined #openvpn 10:24 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 10:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 10:25 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 10:27 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:30 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Client Quit] 10:30 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:34 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Client Quit] 10:43 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:59 -!- hadi [~Instantbi@31.59.48.114] has quit [Read error: Connection reset by peer] 10:59 -!- hadi [~Instantbi@31.59.48.114] has joined #openvpn 11:01 -!- debug0x1 [~user@unaffiliated/debug0x1] has joined #openvpn 11:06 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:07 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 11:16 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:20 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 11:27 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:27 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 11:54 -!- marcoslater [marcoslate@freenode/sponsor/halothe23] has quit [Read error: Connection reset by peer] 12:10 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:12 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has joined #openvpn 12:13 < dyce> can openvpn bet setup to do a p2p udp connection like neorouter? http://i1-win.softpedia-static.com/screenshots/NeoRouter-Mesh_3.png 12:13 < dyce> be* 12:15 -!- weox [uid112413@gateway/web/irccloud.com/x-cbgkgfycveehqijp] has quit [Quit: Connection closed for inactivity] 12:15 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has quit [Ping timeout: 260 seconds] 12:18 < Eugene> openvpn does not have meshing built-in, no. 12:19 -!- enki [~enki@dynamic-78-30-156-27.adsl.eunet.rs] has quit [Read error: Connection reset by peer] 12:21 -!- furkan [~furkan@CPEc43dc747aba9-CM78cd8eccfad5.cpe.net.cable.rogers.com] has quit [Ping timeout: 272 seconds] 12:26 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 12:32 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 12:34 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 12:38 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has joined #openvpn 12:42 -!- jwhitmore [~jwhitmore@host213-122-247-35.range213-122.btcentralplus.com] has joined #openvpn 12:44 < dyce> Eugene: what is meshing? is it basically doing something like a traceroute from client 1 to the server and client 2 to the server, then says, here client 1, this is how you find client 2? 12:45 < Eugene> short answer: yes 12:46 < dyce> Eugene: and that would not involve need ports open on the client at all? 12:47 < Eugene> It would; there's various techniques to get around this, but they're unreliable and technically difficult 12:53 -!- Talltree [~Talltree@talltree.xyz] has joined #openvpn 13:01 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:02 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.3] 13:02 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 13:02 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:03 -!- weox [uid112413@gateway/web/irccloud.com/x-uwwwgumfzdeehtow] has joined #openvpn 13:06 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn 13:12 -!- furkan [~furkan@173.34.178.164] has joined #openvpn 13:18 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:19 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:21 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:24 -!- allizom [~Thunderbi@host204-165-dynamic.55-79-r.retail.telecomitalia.it] has joined #openvpn 13:26 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 250 seconds] 13:26 <@ecrist> there is just about enough part/quit noise in here to warrant an /ignore 13:26 < Talltree> ecrist: i got all join/leave messages filtered out by default, i dont need them... 13:26 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:27 < Talltree> also, i am extremly unsure how to tunnel ipv6 properly, i've looked at https://community.openvpn.net/openvpn/wiki/IPv6 but i dont understand it 13:27 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 13:28 <@ecrist> Talltree: they can be useful when joeblow joins, fires off a question, then leaves 3 minutes later, then I come along and answer the question for a nonexistent party 13:29 < Talltree> yeah, but looking for the nick real quick doesnt take long :D 13:30 < Talltree> the advantage of not having 3 pages of join/parts to scroll through outweights the nick lookup 13:30 <@ecrist> so, I just flood my interface with a /names request every time I respond to a question? 13:35 < Eugene> I attempt to tab-complete usernames before thinking about their problem 13:39 < Talltree> haha you just did that with me ecrist :D but i doo what Eugene does. 13:40 <@ecrist> but that doesn't fit with my argument. I don't like other points of view 13:40 < Eugene> Yeah well fuck you 13:41 -!- mode/#openvpn [+q Eugene!*@*] by ecrist 13:41 <@ecrist> much better. :) 13:42 -!- mode/#openvpn [-q Eugene!*@*] by ecrist 13:42 -!- mode/#openvpn [+o Eugene] by ChanServ 13:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 13:42 -!- mode/#openvpn [-o ecrist] by ecrist 13:43 * Eugene removes pants from ecrist 13:45 < ecrist> 13:45:27 Ignoring JOINS PARTS QUITS from #openvpn 13:51 < Talltree> pffff hahahahaha those lines 13:51 < Talltree> i allmost spewed tea on my screen, you fools! 13:58 < Talltree> anyway, can one of you explain tunneling ipv6 properly for someone extremely new to this like me? 14:44 < aix> Hi there all 14:44 < aix> I've been directed from #openbsd so here's my issue: I've set up a VPN on OpenBSD with this config: https://sr.ht/DIA5.txt and this firewall config: https://sr.ht/sDUH.txt Clients are getting assigned addresses from 2a03:ca80:8001:7683::/64 but I can only access the local network ranges i.e the ipv6 addresses that are bound on the vpn server 16:19 < LilDog> Hello ! I am looking for suggestions for a cheap vps to install openvpn. Can anybody advise ? 16:44 < LilDog> Hello ! I am looking for suggestions for a cheap vps to install openvpn. Can anybody advise ? 19:53 -!- radonx is now known as r[A]donx 20:06 < c|oneman> check out lowendbox LilDog 21:40 -!- james41382_ is now known as james41382 --- Day changed Fri Jan 29 2016 01:07 <@Eugene> hiya - your quiet was applied by ecrist; you'll need to PM him, mostly because I don't care. 02:23 -!- dazo_afk is now known as dazo 02:34 -!- ^cj^ is now known as ^CJ^ 03:18 <@plaisthos> Eugene: short form: he has basically no openvpn or networking knowlege, got his config working after 3 days and the next tried to charge users here to help them 04:38 -!- ^CJ^ is now known as ^cj^ 05:13 < Nouv> I have an openvpn server setup on windows, which works fine (I can connect to it with other clients). How do I allow all traffic to pass through from the clients that connect? 05:14 < Nouv> I have `push "redirect-gateway def1"` in my config but the clients aren't able to pass traffic through 05:23 < debdog> Nouv: no expert here, but I have this link open atm https://openvpn.net/index.php/open-source/documentation/howto.html#redirect mayhap this helps 05:23 <@vpnHelper> Title: HOWTO (at openvpn.net) 05:27 < Nouv> Anyone? 05:51 < Peixinho_> hi there 05:51 < Peixinho_> I'm having a problem connecting vpn client to different VLANs 05:52 < Peixinho_> might be iptables? 07:31 -!- dazo is now known as dazo_afk 08:15 < ecrist> Talltree: what do you need to know (re IPv6) 08:19 -!- mode/#openvpn [+o ecrist] by ChanServ 08:19 -!- mode/#openvpn [-q hiya!*@*] by ecrist 08:20 < hiya> heh 08:20 < hiya> I am backkkkkkkkkkkkkkkkkkkkkkkkkkkk 08:20 < hiya> :) 08:20 < hiya> sup people? 08:26 < Talltree> ecrist: i set up my ipv4 vpn on my own server following this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 08:26 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com) 08:26 < hiya> and? 08:27 < Talltree> and then looked into ipv6 enabling it, and i use different config values then shown in that guide... and i dont understand it well enough to make it happen 08:27 <@ecrist> Talltree: I don't generally go read XYZ how-to. What problems are you having getting IPv6 deployed? 08:27 <@ecrist> have you looked at the man page on the website? 08:28 < Talltree> yeah, but those "you should have XY" dont apply really to me, i could paste you my config if you want 08:28 <@ecrist> !configs 08:28 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:28 <@ecrist> afk a few 08:28 < hiya> Talltree, I need to know, what the problem is? 08:28 < Talltree> enabing ipv6 tunneling on my VPN ;D 08:29 < hiya> Ok wait give me your configuration I would try to edit 08:29 < hiya> but first do you have Ipv6 support? 08:29 < hiya> ifconfig 08:29 < hiya> what does it say? 08:29 < Talltree> let me ssh into my server real quick 08:29 < DArqueBishop> Talltree: keep in mind that hiya doesn't exactly know what he's doing. 08:29 < hiya> :( 08:29 < hiya> DArqueBishop, Why do you think so? 08:30 < DArqueBishop> I don't know... it could be the fact that you have a shaky grip on networking fundamentals and have been told to read up on it on at least one occasion. 08:30 < Talltree> eth0 has a ipv6 adress 08:31 < Talltree> i am bad that networking fundamentals too, its really not my field... 08:32 < hiya> Talltree, Ok then we all are all set 08:32 < hiya> send me your configuration 08:32 < hiya> https://spit.mixtape.moe/ 08:32 <@vpnHelper> Title: Mixtape Paste (at spit.mixtape.moe) 08:32 < hiya> select 1h or 5m 08:33 < DArqueBishop> Talltree: I'd offer to help but my IPv6 knowledge is pretty weak. 08:33 < Talltree> http://pastebin.com/23BW1xiQ 08:34 < Talltree> i guess i will wait for ecrist :D 08:35 < DArqueBishop> Talltree: have you tried looking at this? 08:35 < DArqueBishop> https://community.openvpn.net/openvpn/wiki/IPv6 08:35 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 08:35 < Talltree> i did DArqueBishop but i didnt understand it fully 08:35 < hiya> Talltree, I would make it work for you 08:36 < Talltree> english is not my native language, and networking stuff isnt even close to my field 08:36 < DArqueBishop> So, let me ask this, if you don't mind: 08:36 < DArqueBishop> Why do you need IPv6 routed over the VPN? 08:36 < Talltree> because my home provider is native ipv6 08:36 < hiya> server-ipv6 IP::/64 08:36 < hiya> push “route-ipv6 ::/0” 08:37 < hiya> Talltree, ^ just add this in your server.conf 08:37 < Talltree> and if i ident test on some site for exmaple 08:37 < hiya> server-ipv6 IP <-- IP here is what you see in ifconfig 08:37 < hiya> Do it and reboot 08:38 < Talltree> reload the config you mean... 08:38 < hiya> restart the OVPN server 08:38 < hiya> did you enable IPv6 forwarding? 08:38 < DArqueBishop> Talltree: don't listen to him. 08:38 < hiya> Talltree, ^ do this when it do not work 08:38 < DArqueBishop> His route push is wrong. 08:39 < Talltree> like i said ima wait for ecrist, he seemed like he knows whats up :D and being op here etc 08:39 < hiya> Talltree, just try and learn but its upto you 08:39 < DArqueBishop> That would be your best bet. 08:39 < Talltree> the server is ipv6 enabled, i have a full /64 stack 08:40 < Talltree> DArqueBishop: i tried to see if ident sites could still see my original ip etc 08:40 < Talltree> and those with ipv6 capabilities could 08:40 < Talltree> because my ipv6 traffic wasnt tunneld 08:40 < Talltree> at least i think thats the issue 08:40 < DArqueBishop> That sounds right. 08:41 < Talltree> thought so, i hate that new ipv6 ipv4 hassle 08:41 < DArqueBishop> The OpenVPN server needs to be configured to tunnel IPv6 traffic. 08:41 < Talltree> its funny that my root provider gives me a full /64 stack 08:42 < Talltree> thats like how many adresses? 1.8 quintillion? 08:42 * ecrist returns 08:42 * Talltree has to go afk 5 mins 08:44 <@ecrist> Talltree: by spec, a /64 is the minimum allocation. 08:44 <@ecrist> if you have multiple segments, a /48 is the next most common allocation. 08:45 < Talltree> i could pm you my eth0 screen etc 08:45 < Talltree> if you need that 08:46 < hiya> does it start with 2001:? 08:46 <@ecrist> No. I asked for your configs earlier. 08:46 < Talltree> i did pastebin it 08:46 < hiya> or fe80*? 08:46 < Talltree> http://pastebin.com/23BW1xiQ 08:46 < Talltree> both 08:46 < DArqueBishop> Honestly, Talltree... ecrist would probably correct me, but your config shouldn't be very difficult to convert into an IPv6 version. 08:46 < Talltree> Scope:Global Scope:Link 08:47 < Talltree> DArqueBishop: the problem is too that i dont want to connect to a ipv6 adress, since i want to use the VPN at work too 08:47 < Talltree> there is another problem then too, atm i hav cert auth, i would like to have simple username/pw too 08:47 < Talltree> i know that there is a pam plugin or something for that, but i didnt understand that correctly too i think 08:48 < DArqueBishop> Talltree: I THINK it's possible to set it up where you connect to it via IPv4 and it can tunnel IPv6. 08:49 < DArqueBishop> Again, my knowledge isn't the greatest. I am frequently wrong. :-) 08:49 < Talltree> being wrong is the first step to being right :D 08:49 < hiya> I already gave the solution 08:49 < DArqueBishop> Your solution was wrong, hiya. 08:49 < Talltree> since somone with likely correct me :D 08:49 <@ecrist> hiya: this isn't a competition. 08:49 < hiya> DArqueBishop, w/e 08:49 < hiya> ecrist, :) ok 08:49 < DArqueBishop> Just out of curiosity, Talltree, why user/pw authentication? 08:50 < Talltree> my work has old xp stations 08:50 < Talltree> without admin rights 08:51 < Talltree> the only client that will work is a client that works properly afaik is a client that doesnt even have cert auth 08:51 < Talltree> that sentence was such a grammar mess :D 08:51 <@ecrist> Talltree: You're going to be looking for the --server-ipv6 in the man page 08:51 <@ecrist> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 08:51 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 08:52 <@ecrist> As far as your IPv6 allotment, do you have a single IP space, or a routed space? 08:52 < Talltree> how do i check that? 08:52 < Talltree> see, no idea what that means :D 08:52 <@ecrist> i.e. you have a WAN interface to your upstream provider with an IPv6 address, plus an additional /64 you can assign, that is routed to your WAN IP? 08:54 < Talltree> eh... its a linux vm on a server somewhere, i had to assign one ipv6 adress to make it work... 08:56 <@ecrist> To avoid NAT/PAT, you'll need to request a second /64 from your upstream provider. This will become your VPN subnet 08:57 < Talltree> i think i got the full range, but i gave the eth0 one adress of those to enable ipv6 initially ecrist 08:59 < Talltree> dunno if that makes sense 08:59 <@ecrist> Talltree: please no more PMs 08:59 <@ecrist> no need for them. 09:00 < Talltree> okay^^ just trying to make sure its correct what i am saying by giving you the info i got availabler 09:00 <@ecrist> You will need to either 1) NAT your IPv6 traffic (yuk) or 2) request a routed /64 to one of your current IPv6 addresses. 09:00 <@ecrist> I didn't ask for your eth0 IP information. :) 09:00 <@plaisthos> or do proxy-ndp (different yuk) 09:00 <@plaisthos> !proxy-ndp 09:01 <@plaisthos> (just use google) 09:02 < Talltree> i dont know how i request i routed /64 to my ipv6 adresses 09:02 < Talltree> i dont even know what that means, lol 09:02 * ecrist draws a pretty picture. 09:02 < Talltree> yey! 09:03 <@ecrist> it'll be a few minutes 09:07 < Talltree> why cant this be as simple as gulp or jquery :D 09:09 <@ecrist> Alright, no pretty pictures. 09:09 <@ecrist> So, think of it this way. Your ISP has given you a /64 IPv6 block 09:09 <@ecrist> For argument's sake, let's say it is 2001:feed:beef:a::/64 09:10 <@ecrist> You have assigned 2001:feed:beef:a::1 to your VM 09:10 < Talltree> correct^^ 09:11 <@ecrist> You ask your ISP to give you a second, routed /64 block, and ask them to route that to 2001:feed:beef:a::1, they assign you 2001:dead:beef::/64 09:11 <@ecrist> so, you then configure OpenVPN for the 2001:dead:beef::/64 range, and OpenVPN will use, by default, the 2001:dead:beef::1 IP. 09:11 <@ecrist> and assign other IPs to clients as they connect 09:12 <@ecrist> so the route from the internet goes Internet -> ISP -> Your VM -> OpenVPN -> Clients 09:12 < Talltree> but why then a second ipv6 adress? 09:12 -!- dazo_afk is now known as dazo 09:13 < Talltree> or second ipv6 range... 09:13 <@ecrist> because OpenVPN acts as a router, so you need a route "hop" from a VPN client to your ISP 09:13 <@ecrist> You can't skip the VM 09:14 < Talltree> but for ipv6 he creates tun0 doesnt he? 09:14 < Talltree> that doesnt have a real ip either 09:14 < Talltree> *ipv4 09:15 <@ecrist> I don't understand your question 09:19 < Talltree> if i understood that right, he needs an own ipv6 adress to route from it to another one 09:19 < Talltree> but the server doesnt do that for ipv4 doesnt it? 09:20 < Talltree> if i start the server it created a tun0 interface with 10.8.0.1 09:20 < Talltree> and when i connect to the server i get assinged an adress on that emulated interface? or not? 09:23 < hiya> Talltree, did it work yet? 09:24 <@ecrist> Talltree: the server does the same thing 09:24 <@ecrist> In your case, you're configuring NAT, though. 09:25 <@ecrist> You can also configure NAT for IPv6, but the whole point of the HUGE address space is you shouldn't ever have to. 09:25 < Talltree> i dont like the idea of paying for another /64 adress space just so it's "cleaner" 09:26 < Talltree> i am against bad practises, yeah, but i dont see the point in this case, maybe i dont understand it correctly 09:26 <@ecrist> Your ISP is charging you for v6 space? 09:26 < Talltree> i get confused when you say ISP 09:26 < Talltree> ISP = serverr provider 09:27 <@ecrist> yes 09:27 < Talltree> or ISP = My provider at home? 09:27 <@ecrist> whoever provides internet service to your VM 09:27 < Talltree> server provider, yes, if i get another full 64 stack its additional service 09:27 < Talltree> like another ipv4 adress 09:27 < Talltree> if i just take blablabla::2 09:27 < Talltree> then ofc not :D 09:27 <@ecrist> That's novel. I've never seen a provider charge for v6 space. 09:28 <@ecrist> Who is the provider? 09:28 < Talltree> https://www.netcup.eu/vserver/#features 09:28 <@vpnHelper> Title: netcup GmbH - Root Server (at www.netcup.eu) 09:28 < Talltree> i got packet M 09:29 < Talltree> its a /64 subnet 09:29 < Talltree> https://www.netcup.eu/vserver/root-server-erweiterungen.php 09:29 -!- dazo is now known as dazo_afk 09:29 < Talltree> extra ipv6 subnet = 1 euro more 09:30 -!- dazo_afk is now known as dazo 09:31 <@ecrist> so, if you don't want to pay, you'll need to nat your v6 traffic 09:32 < Talltree> i dont want to pay :D 09:32 < Talltree> whats with the ndp? i didnt get that fully either... 09:32 <@ecrist> You'll have to read up on that. 09:32 <@ecrist> I've hit my limit. 09:32 <@ecrist> !101 09:32 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 09:33 < Talltree> ha if i search for ndp in my native language i get so neo nazi party.. 09:35 < Talltree> like i said, i've read a lot about this stuff, but networking is extremly complicated for me... 09:44 < NickFreak> !welcome 09:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:45 < NickFreak> !howto 09:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 10:04 < hiya> Why does down-root plugin not work with client as a service is used? 10:04 < hiya> I think it is not fixed yet 10:07 <@plaisthos> Talltree: they official not Nazi, just very right winged :_) 10:07 <@plaisthos> if your native language is german 10:07 -!- dazo is now known as dazo_afk 10:07 < Talltree> i'd say the NPD is pretty much a nazi party 10:08 < Talltree> you could argue about AfD not being one just right winged 10:08 <@plaisthos> Talltree: yes they are 10:08 < Talltree> fun drinking game, watch a press conference of the afd, and every time he says something that sounds like 1938, drink 10:08 <@plaisthos> but official they have to be a democratic party :) 10:08 < Talltree> you will be smashed in no time 10:09 <@plaisthos> Talltree: http://afdodernpd.de/ 10:09 <@vpnHelper> Title: AfD oder NPD? (at afdodernpd.de) 10:09 <@plaisthos> Talltree: https://de.wikipedia.org/wiki/Neighbor_Discovery_Protocol 10:09 <@vpnHelper> Title: Neighbor Discovery Protocol – Wikipedia (at de.wikipedia.org) 10:09 < Talltree> i read that 10:09 < Talltree> i understood half of it 10:10 < Talltree> or a bit less 10:10 < Talltree> still pretty hard to gasp for me... 10:10 < Talltree> grasp 10:11 <@plaisthos> search for hetzner proxy ndp 10:11 <@plaisthos> their network is kind of broken 10:11 <@plaisthos> so that many people had to resort to that stuff 10:11 < Talltree> hahahah »Die deutsche Politik hat eine Eigenverantwortung, das Überleben des eigenen Volkes, der eigenen Nation sicherzustellen.« i was like 100 % npd, but its afd 10:12 < Talltree> unbelievable 10:14 < Talltree> when i am finished with openvpn i will never touch network stuff again, and i will be so happy 13:34 < Rayston> anyone know if there is a way to route EVERYTHING but certain sites (netflix etc. ) through my VPN Client running on Tomato Router? 13:42 < zoredache> redirect your gateway, then add static routes to the network gateway for the sites you don't want local 13:43 < zoredache> ie use google directly. push "route 8.8.8.8 255.255.255.254 net_gateway" 13:44 < zoredache> or google dns anyway. 13:48 -!- dazo_afk is now known as dazo 14:01 < Rayston> hmm, kay, thanx 14:49 -!- dazo is now known as dazo_afk 15:36 < cwage> hi. can anyone tell me why these instructions/scripts set an IP address on br0? https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript 15:36 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:36 < cwage> why would you need an IP address on a bridge? i guess i need to choose something other than the primary IP address on the bridged interface in question either way? 15:40 < zoredache> what? 15:42 < cwage> zoredache: are you talking to me? 16:10 < zoredache> Yes, I am trying to figure out what you are asking. You are asking why the openvpn server needs an IP address? 16:12 < cwage> no, I am asking why the linked instructions have you set an IP address on a bridge interface 16:14 < zoredache> as opposed to what? If you look closely, that will be the only IP address on the system at all. 16:19 < cwage> it's not the only IP address on the system -- eth0 already has an IP address 16:23 < zoredache> no, it doesn't. See the `ifconfig $eth 0.0.0.0 promisc up` line in the bridge start? That is an interface with no ip address. 16:26 < zoredache> That `bridge-start` script is written from the assumption, that there is no other networking configuration present on the system. 16:30 < cwage> ah i see 16:30 < cwage> not used to seeing addresses assigned to a bridge interface 17:59 < cwage> can anyone help me understand what is failing here? https://gist.github.com/f7718697dcf98af8f777 17:59 <@vpnHelper> Title: - · GitHub (at gist.github.com) 17:59 < cwage> this config was working with a routed tun0 config -- auth succeded via ldap and setup a tunnel 17:59 < cwage> i changed it to bridged, and now authentication is failing somehow further on 17:59 < cwage> not clear to me how/why 18:00 < cwage> oh hm, https://github.com/threerings/openvpn-auth-ldap/issues/4 looks related 18:00 <@vpnHelper> Title: auth-ldap - problem connecting to server · Issue #4 · threerings/openvpn-auth-ldap · GitHub (at github.com) 18:59 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 18:59 -!- mode/#openvpn [+v s7r_] by ChanServ 19:07 -!- Netsplit *.net <-> *.split quits: +s7r 19:07 -!- MagiC3PO is now known as Magiobiwan 19:07 -!- funnel_ is now known as funnel 19:23 -!- Tenhi_ is now known as Tenhi 22:20 < hiya> hi guys 22:20 < hiya> :) 22:21 < hiya> Do you think it is possible to optimize OpenVPN traffic? 22:23 < wsky> optimimize? you mean like using tc? 22:23 < hiya> I am getting 65mbps on my VPS if I do ./speedtest-cli 22:24 < hiya> but can I improve actual performance for a client with 1Gbps connection? 22:24 < hiya> like he gets 70 Mbps? 22:24 < hiya> :) 22:41 < c|oneman> if your openvpn server speedtests at 65mbps, then your openpvn performance cannot be faster than that 23:13 < hiya> c|oneman, ok, I thought we could maybe use compression and use some performance --- Day changed Sat Jan 30 2016 01:07 < hiya> Could SHA512 as auth and AES-256-CBC and TLS 1.2 (4k keys) cause huge processing power demand? 01:40 < c|oneman> dunno 01:40 < c|oneman> you could check if the cpu is topping out with top 01:41 < hiya> c|oneman, What should it say? 01:41 < c|oneman> hmm, it depends how many cores you have 01:41 < hiya> 1vcore 01:41 < hiya> VPS 01:41 < c|oneman> install htop, that will show you how much cpu usage is happening in realtime 01:42 < c|oneman> if its below 80% when you're transferring at 70mbps over vpn then its not a limiting factor 01:43 < hiya> it says 0.9 to 1.2 % 01:43 < hiya> Mem 56/1000 MB 01:43 < hiya> and Swp 0/459 01:43 < hiya> :) 01:43 < hiya> hehe 01:43 < c|oneman> while transferring? 01:43 < hiya> no 01:43 < hiya> right now no one is one 01:43 < hiya> VPN server 01:43 < c|oneman> yeah you gotta check while transferring 01:44 < hiya> while 20 Mbps is used? 01:44 < c|oneman> its probably just the vps provider that limits your speed 01:44 < c|oneman> well, the maximum 01:44 < hiya> 65Mbps is maximum 01:46 < hiya> c|oneman, Do you have good Internet? 01:46 < c|oneman> I do 01:54 < hiya> c|oneman, Sorry I was thinking if you could try and help me check 01:54 < hiya> because most of my users are 1-2 Mbps 01:54 < c|oneman> I probably won't be able to max it out from home, I only have 30mbps 01:57 < hiya> c|oneman, that is like half of the Bandwidth of my VPS 01:57 < hiya> So it might help 01:57 < hiya> you can download a 10GB file 04:37 < derdud3> hey guys 04:39 < derdud3> how much clients on the vpn are possible if i use a tun device? i red two tutorials and one said that only 6 clients minus broadcast and minus gateway and vpn server are possible which means only one client per endpoint 04:39 < hiya> hi 04:39 < derdud3> the other tutorial said that there are 64 clients per subnet possible :> 04:39 < hiya> derdud3, if you use Community OPenVPN then any number 04:39 < derdud3> now i am confused 04:39 < hiya> if you use AS then limited (licensed based) 04:39 < hiya> Are you using community OPenVPN? 04:39 < hiya> then you can set any number you want 04:40 < derdud3> what is community openvpn? 04:40 < derdud3> sorry, never heard of it and my english isnt so good :> 04:41 < derdud3> let me google it ;> 04:42 < hiya> derdud3, how did you install openVPN server? 04:43 < derdud3> its running on my openwrt router and i installed it out of the openwrt repositys 04:43 < derdud3> and my clients are only linux and android clients 04:44 < derdud3> because of this i have to switch from tap to tun because my cyanogenmod now doesnt support tap modules :/ 04:44 < hiya> ok 04:44 < hiya> it is unlimited clients 04:44 < hiya> :) 04:44 < hiya> but I think he can only handle 10 maybe 04:45 < hiya> depends on your router's hardware 04:45 < derdud3> hiya, perfect, thank you very much 04:45 < derdud3> 3 should be good enought ;> 04:45 < derdud3> its only that i have to connect me to more than one machine in my subnet 04:47 < hiya> derdud3, that is good :) other than this is everything working fine? 04:47 < derdud3> at the moment its working like charm with the tap module and i love openvpn 04:47 < derdud3> nice work guys 04:48 < derdud3> the only thing is that i have to migrate now to tun module because of the missing tap module on the android and the android client that i use supports only tun modules :/ 04:49 < hiya> yep 04:49 < hiya> Why do you need tap for? 04:52 < derdud3> because configured my whole openvpn with the tap modules ;> 04:52 < derdud3> and you know, never change a running system ;> 04:52 < derdud3> and is it possible to use make the openvpn network as part of my lan and separate it only 04:52 < derdud3> with the tun module? 04:54 < derdud3> like make my whole network for example 192.168.1.0/24 and put all the machine that i like to connect in 192.168.1.32/27 04:54 < derdud3> would this configuration be possible? 04:55 < derdud3> i hope that is understandable what i mean ;D 04:56 < derdud3> https://play.google.com/store/apps/details?id=net.openvpn.openvpn <-- this one is the official openvpn android client right? 04:56 < derdud3> its a pitty that it doesnt work with tap modules 04:57 < hiya> derdud3, I think client-to-client 04:58 < hiya> with tun is almost same as that 04:58 < hiya> if you use topology subset 04:59 < derdud3> with the tap module it was like the dhcp server gave me a release of my lan and used the tap module as a bride to connect to the network 04:59 < derdud3> like this i havent had the problems to use different subnetworks 05:00 < derdud3> but all the tutorials of the tun module looks like i have to have a different network for the computers which i like to connect other the vpn 05:01 < derdud3> later on the day i would like to play around with it ;> 05:19 < hiya> ok 05:22 < derdud3> would be nice if i can get it working with the tun module like with the tap before 05:23 < derdud3> why does the official android openvpn client does not support tap ovpn? 05:28 < hiya> Android does not work 05:29 < hiya> I don't know 05:29 < hiya> :) 05:29 < hiya> derdud3, just set tun as client-to-client 05:29 < hiya> and it should work fine 05:44 < derdud3> hiya, thank you very much! 05:45 < derdud3> android normaly works fine to! i used it on my old cyanogenmod (that had have a tap module) all the time with an alternative openvpn client... but now this client does not work because expect a tap module and the new cyanogenmod kernel is build without modules 06:05 < hiya> derdud3, I would work out of the box 06:05 < hiya> :) 06:08 < derdud3> hiya, the openvpn android client with tap module? when i try to import my config with tap module it says "only profiles with tun modules are supported" 06:38 -!- rich0_ is now known as rich0 07:38 < TheAlien> hey all! happy weekend. ive got openvpn (as part of ClearOS) working. but if i connect with the same username from a 2nd computer, dhcp gives me the same ip as the first. that cant be good! is that normal? seen it before? can that be changed so the 2nd computer either gets a different ip or is refused? thanks :) 09:58 < AlmogBaku> Hi 09:59 < AlmogBaku> anyone knows what does `learn-address update` should do? 10:29 < moviuro> hi all! How could I have both a fixed ipv6 address + a more or less random ipv6 address for ALL my clients? 10:30 < moviuro> (like fixed "normal IPv6 addr" + "privacy IPv6") 11:14 < hiya> ecrist, What is the maximum key + dh size we can use? 11:15 < hiya> Can we use 8k DH or 8k RSA keys? 11:34 < kaiza> Any Canadians know of a US/CA VPN that isn't currently being blocked by Netflix? Or is it just all VPNs? D: 15:11 <@plaisthos> hiya: stop giving advise when have no idea, please 15:11 <@plaisthos> hiya: tap/tun and client-to-client have *nothing* to do with each other 15:27 <@Eugene> TheAlien - OpenVPN(not DHCP) identifies clients based upon the CN(with certificates) or usernames(when using those). Using the same username in two places means that as far as the server can tell it's the same client, so it gets the same address(and the first connection gets dropped) 15:27 <@Eugene> DHCP is not involved in OpenVPN, unless you're doing something dumb with TAP+bridging, which you shouldn't do. 15:27 <@Eugene> !dupe 15:27 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user 15:53 <@Eugene> moviuro - The IPv6 "privacy" thing is basically bullshit security-through-obscurity. My advice is to just take whatever address you get(or set manually), and then set up your firewall correctly to begin with. NAT is not a firewall, and neither are privacy extensions - it's just a little bit of anonymity 15:54 <@Eugene> That being said, OpenVPN doesn't really support having multiple IPv6 addresses for a single client anyway 15:54 <@Eugene> You can route a block(eg, a /64) to the client's tunnel IP, and then do whatever you want inside of that 16:10 < moviuro> Eugene: that sounds complicated. I wish I'd have a simple push for the fixed IP and a random push for the second one, with according metrics 16:10 < moviuro> (I'd like to not change my client's configuration) 16:18 <@Eugene> No, it isn't. 16:18 <@Eugene> What you're describing is more complicated 16:19 < moviuro> Eugene: privacy extensions have been RFC-ied ;) so it could have been an expected behavior 16:19 <@Eugene> OpenVPN has --ifconfig-ipv6-pool built-in; anything you do past that is on your own 16:19 < moviuro> espescially when openvpn knows how to assign ~random addresses to its clients. 16:19 <@Eugene> RFCs are worth the paper they're written on. Feel free to submit a patch to openvpn to get your desired behaviour, but that's silly 16:21 <@Eugene> RFCs 2324 and 7168 are also un-implemented, and care about those way more 16:21 <@Eugene> I care* 16:23 < moviuro> Eugene: that was some serious trolling you just threw at my face ^_^" I'll try to remember those numbers 20:42 < higuita> hi, i want to route all the traffic to the vpn, but i'm bridge mode and 'push "redirect-gateway def1"' will put the gateway to the openvpn server instead of the network gateway 20:43 < higuita> how to use redirect-gateway def1 but push the correct gateway? 22:27 < hiya> plaisthos, The client-to-client directive can also be used in TUN-style networks. It works in exactly 22:27 < hiya> the same manner as in this recipe, except that the OpenVPN clients do not form a single 22:27 < hiya> broadcast domain. 22:28 < hiya> if we topology subset isn't it the same as unbridged? 22:28 < hiya> IamError, did you copy ioerror? :P --- Day changed Sun Jan 31 2016 00:33 < hiya> hello 00:37 < emjaytee404> Hey all. Looking for a bit of networking help. Here's my ifconfig: http://sprunge.us/NBRQ and here's my route -n: http://sprunge.us/jWQE I get no reply when trying to ping either of my 10.4.8.92 or 192.168.128.18 IPs. I'm pretty sure my route needs something extra. Any ideas? 01:08 <@Eugene> moviuro - No, trolling would be berating your choice of underwear. I'm sharing my knowledge of what works and what is an utter waste of time. Whether or not you take that info is up to you. 01:09 <@Eugene> hiya - client-to-client has exactly nothing to do with whether you're using tun or tap. It does have some effect when doing Bridging(which requires tap) vs Routing(works with either style), but for the love of fuck, don't use bridging. 01:09 <@Eugene> And the various invocations of --topology are another different thing entirely, also not-directly-connected to tun/tap or client-to-client/not 01:10 < hiya> Eugene, No no, I am not using anything, I am just saying if you use topology subset with tun and use client to client won't it work like unbridged tap? 01:11 <@Eugene> emjaytee404 - `ip addr` and `ip route` are the modern/preferred way of viewing that info. Anyway, "get no reply" from ping can be a lot of different things; most commonly firewall not allowing ICMP 01:12 < emjaytee404> Eugene: Thanks. I'm not running a firewall on this box though... 01:12 <@Eugene> Well that makes it a bit simpler then. Where are you pinging from/to? And what's the full layout look like.... 01:12 <@Eugene> !config 01:12 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 01:12 < emjaytee404> Do you want me to paste the output of those? 01:12 <@Eugene> !configs 01:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 01:13 < emjaytee404> !paste 01:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:13 <@Eugene> hiya - client-to-client+topology subnet+tun makes it behave similar to a standard LAN subnet, but only Layer3 traffic. switching to tap would get you L2 traffic as well 01:14 < emjaytee404> Mmmm... I understood some of those words. :) 01:14 <@Eugene> emjaytee404 - this flowchart may be of interest to you 01:14 <@Eugene> !clientlan 01:14 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 01:14 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 01:14 < emjaytee404> I'm fairly geeky, and given enough time I will learn. 01:15 <@Eugene> Assuming that's what you're doing, anyway 01:17 < emjaytee404> OK, give me a minute to explain my layout. 01:17 <@Eugene> No promises I'll be around. It's near my bedtime 01:20 < emjaytee404> Heh, it's actually near mine too. Let me do some more reading and I'll try to gather my complete picture, so to speak. 01:20 < emjaytee404> I appreciate the pointers though. 01:21 <@Eugene> !route 01:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 01:21 <@vpnHelper> client 01:21 <@Eugene> All hail the flowcharts 01:43 < hiya> Eugene, That is what I told him, I did not tell him anything else :( 01:43 < hiya> Eugene, He wanted Android / iOS support too 01:43 < hiya> So I said if he uses all of it, it won't hurt and he can even play games etc 01:53 < hiya> Is there any way to limit bandwidth / client? 01:53 < hiya> does openvpn divide it evenly in case of mulitple users On server? 01:57 < hiya> nmap use to be a thing, it is not even a thing any more, everyone uses it and find noting :) 02:34 < TheAlien> hey all! happy weekend. ive got openvpn (as part of ClearOS) working. but if i connect with the same username from a 2nd computer, dhcp gives me the same ip as the first. that cant be good! is that normal? seen it before? can that be changed so the 2nd computer either gets a different ip or is refused? thanks :) Eugene partially answered this... 02:35 < TheAlien> "OpenVPN(not DHCP) identifies clients based upon the CN...as the server can tell it's the same client, so it gets the same address(and the first connection gets dropped)" 02:37 < TheAlien> Eugene: buuut! thats NOT what happens, they both get the same ip, and remain connected, without expressing any sort of related error. cant figure out how the network traffic works but the new one affects the link quality on the first one. seems like a possible gaping security hole there. 02:38 < TheAlien> if i can get it to at least refuse the second connection or perhaps behave as Eugene described, that would be much better ;) furthermore theres this ipp.txt file, lists my username and a .4 ip.. but when i connect i consistently get .6 for all clients. isnt that a bit odd? 02:53 -!- Bose is now known as n0tty 03:36 -!- n0tty is now known as Bose 04:33 < hiya> is it advised to use easy-rsa from distribution or get new one from server? 06:28 -!- Netsplit *.net <-> *.split quits: @krzee, +s7r_, Dougy, +esde, @dazo_afk, @syzzer, +hazardous, +RBecker, @vpnHelper, @plaisthos 06:31 -!- Netsplit over, joins: +hazardous, @krzee, @vpnHelper 06:31 -!- ServerMode/#openvpn [+oo Eugene vpnHelper] by asimov.freenode.net 06:32 -!- Netsplit over, joins: @dazo_afk, @syzzer 06:33 -!- Netsplit over, joins: +esde 06:33 -!- Netsplit over, joins: +s7r_, @plaisthos 06:33 -!- Netsplit over, joins: Dougy 06:33 -!- mode/#openvpn [+v RBecker] by ChanServ 06:33 -!- Netsplit over, joins: RBecker 06:38 -!- SupaYoshi_ is now known as SupaYoshi 07:15 < hiya> hey how do we control a client's bandwidth? 07:15 < hiya> Kindly guide me in the right direction? 09:40 < hiya> iptables -I FORWARD 5 -s -p tcp -m quota –quota 2147483648 -j ACCEPT 09:40 < TheAlien> hiya: figure it out yet? i seem to remember an option you can put in the config file or command line. openvpn --help 09:40 < hiya> how can I limited bandwidth for a given private IP? 09:40 < hiya> and I do not want ports 09:41 < hiya> I do not want proto settings 09:41 < TheAlien> that i dont know, im pretty new too 09:41 < hiya> it has to be overall w/e a useer do 09:41 < hiya> TheAlien, me too 09:41 <@plaisthos> hiya: there is the bandwidth option 09:41 <@plaisthos> but that works only in one direction 09:42 <@plaisthos> other than that OpenVPN does not support bw limitation 09:42 < hiya> plaisthos, Can you help me with that iptables settings? 09:43 <@plaisthos> !iptables 09:43 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 09:43 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 09:43 <@plaisthos> !notovpn 09:43 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 09:44 < hiya> plaisthos, why give so much lecture, Sir ? You could have said its off-topic 09:44 <@plaisthos> hiya: ? 09:45 <@plaisthos> hiya: I gave you everything openvpn can do on itself and just used the !notovpn macro to point out that this is not openvpn 09:46 < hiya> plaisthos, I know .. thanks 09:47 < hiya> I am trying to limited 2GB limit / user 09:47 < hiya> I would work on it now 10:11 < TheAlien> for my part, still trying to figure out why openvpn is allowing 2 connections from same user on diff machines and giving same ip, leaving both connected 10:12 < TheAlien> maybe its just knee-jerk reaction but that sounds like a super big potential security hole there, especially since it doesnt end in an error 10:12 < TheAlien> any way to make it behave?;) 11:42 < Talltree> do you guys happen to have a good guide for username/password based auth? 11:47 < hiya> Talltree, use PAM plugin 11:58 < Talltree> Oo chrome behaves really weird after connection to my openvpn server Oo 11:58 < hiya> Why is that? 11:59 < hiya> plugin /usr/..../openvpn/openvpn-plugin-auth-pam.so login 11:59 < hiya> Talltree, ^ 11:59 < hiya> this is what you have to add in server.conf 11:59 < hiya> auth-nocache 11:59 < hiya> auth-user-pass 11:59 < Talltree> just doesnt connect/lags out 11:59 < hiya> these two in client.conf ^ 12:00 < hiya> add a user without shell and home folder 12:00 < hiya> on server 12:00 < hiya> and use it 12:00 < hiya> :) 12:00 < hiya> done 12:00 < hiya> if need more help PM 12:00 < Talltree> firefox works perfectly, chrome doesnt, really weird 12:01 < hiya> maybe DNS issues? 12:01 < hiya> Chrome has its own DNS resolution shit 12:01 < hiya> use firefox then? 12:03 < Talltree> flushed the dns cache with net internals, flushed the windows dns cache, cleared history, disabled all extensions 12:04 < Talltree> i use chrome as my main browser and syncing bookmarks etc is a big part of my workflow... 12:35 < Otacon22> is there any way I can share port 443 between openvpn and nginx, without having nginx see connections coming from 127.0.0.1 ? 12:37 < Neighbour> no, but there are reverse proxies that support sending an extra header in incoming connections that contain the real originating IP, which your site(s) can then use further 12:38 < Neighbour> (http header) 12:39 < Otacon22> ah good point, I didn't thought about that 12:39 < Otacon22> actually nginx itself can do that 12:39 < Otacon22> i may do a crazy setup with nginx->openvpn->nginx 12:40 < hiya> MULTI: new incoming connection would exceed maximum number of clients (25) 12:40 < hiya> I am getting this error even if users did not even exceed 10 12:52 < sayo-> this is a very noob question but tutorials in google wouldn't help with my ignorance 12:52 < sayo-> I set up a client and it's working, how do I forward traffic over the vpn? 12:52 < sayo-> google says I should set up a couple iptables rules (https://wiki.debian.org/OpenVPN#Forward_traffic_via_VPN) 12:52 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 12:53 < sayo-> does that mean I have to mess with iptables each time I connect to the vpn? 12:54 < hiya> Talltree, did you add it? 12:55 < sayo-> also, is openvpn configfile supposed to create a new interface in my client? 12:56 < hiya> sayo-, what guide did you follow? 12:56 < sayo-> more or less this one https://wiki.debian.org/OpenVPN#Forward_traffic_via_VPN 12:56 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 12:57 < hiya> nano /etc/sysctl.conf 12:57 < hiya> sayo-, ^ 12:57 < hiya> # Uncomment the next line to enable packet forwarding for IPv4 12:57 < hiya> net.ipv4.ip_forward=1 12:57 < hiya> Ok 12:57 < hiya> ? 12:57 < hiya> Save 12:57 < hiya> and exit 12:57 < sayo-> sorry I just run openvpn xx.conf and I lost remote connection :( 12:57 < hiya> no problem 12:59 < sayo-> I can access thru the linode console but not remotely 12:59 < sayo-> looks like openvpn fucked up with the interfaces xD 13:00 < sayo-> ok killall openvpn did the trick :D 13:02 < sayo-> hiya: ok, found and uncommented that line 13:02 < hiya> save - exit 13:02 < sayo-> yup, done 13:02 < hiya> ok 13:02 < hiya> Works? 13:04 < sayo-> hiya: I don't know why, but now each time I run openvpn, I loss connection 13:05 < sayo-> hiya: http://pastebin.com/kXPT7MdE seems like port forwarding works given the logs 13:05 < sayo-> ping www.google.com ping: unknown host www.google.com 13:06 < hiya> sayo-, connection is fine 13:06 < sayo-> nope, looks liek it doesn't work 13:06 < hiya> sayo-, check /etc/resolv.conf 13:06 < hiya> what does it say? 13:07 < hiya> sayo-, Also I need to know do you have ufw? 13:07 < hiya> Did you configure it? 13:08 < sayo-> yup I use iptables 13:08 < sayo-> iptables is "everything done except this two ports I always use" 13:09 < hiya> Allowed traffic from client to eth0? 13:09 < sayo-> the guide doesn't say anything on modifying the config of my firewall 13:10 < hiya> which guide? 13:10 < hiya> Show me? 13:10 < sayo-> /etc/resolv.conf is just a bunch of nameservers from my provided plus options rotate 13:10 < sayo-> ths guide https://wiki.debian.org/OpenVPN 13:10 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 13:10 < hiya> wtf 13:10 < hiya> DEFAULT_FORWARD_POLICY="ACCEPT" 13:10 < hiya> This is required ^ 13:10 < sayo-> basically all I do in my client is: openvpn configfile and that's it 13:10 < hiya> sayo-, do you control the server? 13:10 < sayo-> nope 13:11 < hiya> Wait? You are using OpenVPN service and trying to connect as a client? 13:11 < sayo-> DEFAULT_FORWARD_POLICY="ACCEPT"? in my client? 13:11 < hiya> sayo-, no that is server ufw file thingy 13:11 < hiya> sayo-, What are you trying to do again? 13:11 < sayo-> lol ok let's start from scratch 13:11 < sayo-> hey hiya, please to meet you! 13:12 < sayo-> I rented a VPN account and I'm trying to connect to the server 13:12 < sayo-> I want to tunnel all my public connections thru the VPN 13:12 < hiya> sayo-, You using cli OpenVPN? Don't you have GUI like Gnome? 13:12 < sayo-> cli, no gui 13:12 < hiya> ok 13:13 < hiya> sayo-, now what server? 13:13 < hiya> Can you disclose the name? 13:13 < hiya> if not then fine 13:13 < sayo-> I'm afraid that would get me killed 13:13 < hiya> sayo-, ok then do not do it 13:13 < hiya> sayo-, When you try to connect do you get any errors? 13:13 < sayo-> the servers are fully working 13:13 < hiya> nano client.conf 13:14 < hiya> log-append v.log 13:14 < hiya> do this 13:14 < hiya> and save - exit 13:14 < hiya> sayo-, nano client.conf 13:14 < sayo-> this are the logs http://pastebin.com/kXPT7MdE 13:14 < hiya> log-append v.log 13:14 < hiya> verb 4 13:14 < hiya> save - exit 13:14 < sayo-> ok 13:14 < hiya> try to connect again 13:14 < hiya> and show me v.log 13:14 < sayo-> just a second 13:15 < hiya> sayo-, also try 13:15 < jafa> hi, using openvpn for communication between front-end webservers and two backend servers (different locations). Each front-end maintains an openvpn connection to each of backend servers - works great. Now looking to maintain a vpn connection between the two backend servers 13:15 < hiya> sayo-, sudo openvpn --config config.ovpn 13:15 < hiya> assuming config.ovpn is name of client.conf file 13:16 < sayo-> yup, I'm doing this 13:16 < sayo-> just a second 13:17 < sayo-> wow the logs are large 13:17 < jafa> currently thinking I need to issues a client cert for one of the backend servers, have it connect as a client to the other, and have the server one configured to hand out a fixed ip so I can set up different firewall rules compared to the normal clients. Is this reasonable or is there a better direction 13:18 < jafa> s/issues/issue/ 13:19 < hiya> sayo-, Does it say Initialization Sequence Completed in the end? 13:19 < hiya> or not? 13:19 < sayo-> yup 13:19 < hiya> then it works 13:19 < hiya> something else is wrong 13:19 < sayo-> http://puu.sh/mQQrc/7afa518111.png 13:19 < hiya> and you do not have to do anything in client side 13:19 < hiya> it should work out of box 13:20 < hiya> sayo-, wait how do you use it? 13:20 < hiya> sayo-, in cli mode how do you use your VPN? You do not get to do anything once it connects? then? 13:20 < jafa> thinking another option might be to run a second vpn server instance on a different port just for backend-to-backend communication - keep things fully isolated. The complication is that I may not be able to set up firewall rules by tun interface as the numbering can change 13:21 < hiya> sayo-, Do you exist from openVPN to check if it works? 13:21 < sayo-> hiya: I run openvpn --config config.ovpn from a terminal and then try to do stuff from another session like ping www.google.com 13:21 < hiya> ok 13:21 < hiya> Did it work yet? 13:21 < sayo-> nop 13:21 < sayo-> ping www.google.com and ping -I tun0 www.google.com won't work 13:21 < hiya> sayo-, remove everything in /etc/resolv.conf 13:21 < sayo-> nooooooooooooooooooooooooooo 13:21 < hiya> and add 13:21 < sayo-> why would I do that? 13:21 < hiya> nameserver 8.8.8.8 13:22 < hiya> sayo-, or comment it 13:22 < hiya> we need to see what the problem is 13:23 < sayo-> ok it's working 13:23 < sayo-> ;_; 13:24 < sayo-> yeah it's working 13:24 < sayo-> hiya: IT'S WORKING MAN THIS SHIT IS WORKING 13:24 < arcsky> good evening, i have problem with my openvpn config. can anyone please help me? http://pastebin.com/JHJRw6Xn 13:25 < sayo-> hiya: I still have one problem tho.......... I can't shell in anymore, it doesn't receive the connection 13:30 < hiya> sayo-, What do you mean? 13:30 < hiya> sayo-, I do not follow you 13:30 < arcsky> good evening hiya , any idea ? 13:31 < hiya> arcsky, comment line 13 13:31 < sayo-> hiya: I'm using this box remotely thru SSH, as soon as I start openvpn I cannot connect anymore to it 13:31 < hiya> arcsky, What is the problem? 13:32 < hiya> arcsky, does server run well? 13:32 < hiya> Does it say Initialization Sequence Completed in the end? 13:32 < hiya> tail /var/log/openvpn.log 13:32 < hiya> on server 13:33 < hiya> sayo-, try again 13:33 < hiya> you would ofcourse lose connection 13:33 < hiya> try again it should work 13:33 < arcsky> http://pastebin.com/LFZib5Jx 13:33 < hiya> sayo-, and undo all that IPv4 forwarding setup you did, because you should not be doing it on client side 13:33 < sayo-> nop, I can't connect anymore until I kill openvpn 13:33 < arcsky> windows client says "connecting all the time" 13:34 < hiya> arcsky, change line 9 to server 10.8.0.0 255........... 13:34 < hiya> in server.conf 13:35 < hiya> remove line 13 13:35 < hiya> push "redirect-gateway local def1" 13:35 < hiya> and then restart openvpn server 13:35 < hiya> and try to connect 13:36 < hiya> arcsky, also try with remote "IP" if still do not work 13:37 < sayo-> hiya: why is it the machine doesn't receive incoming connections once the vpn was turned on? 13:38 < hiya> sayo-, did you allow particular IP? 13:38 < sayo-> what do you mean? 13:39 < hiya> sayo-, maybe the machine you are trying to SSH into have IP based restrictions 13:39 < jafa> any thoughts/advice regarding implementing a vpn link between two backend servers that both already run openvpn-servers? 13:39 < hiya> arcsky, works? 13:39 < sayo-> but I can ssh from the box when openvpn is off 13:39 < hiya> it should work fine 13:39 < hiya> it is not openvpn related 13:40 < hiya> as far as I know 13:40 < sayo-> ok =/ 13:40 < hiya> not saying I know enough 13:40 < hiya> ask others and wait for response 13:41 < sayo-> no! 13:41 < sayo-> you're my saviour 13:41 < sayo-> you fixed the other problem :D 13:43 < arcsky> hiya: no luck 13:43 < hiya> arcsky, patch of files suck 13:43 < hiya> make it right 13:43 < hiya> no c:\\ 13:43 < hiya> remove it 13:44 < hiya> ca ca.crt 13:44 < sayo-> hiya: http://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client this is my exact problem! 13:44 <@vpnHelper> Title: Allowing SSH on a server with an active OpenVPN client - Server Fault (at serverfault.com) 13:45 < hiya> sayo-, I do not see it as an issue you can solve from client machine 13:46 < sayo-> https://forum.linode.com/viewtopic.php?p=50114&sid=d4e386790351a09f638cff7fdeaeee8a#p50114 13:46 <@vpnHelper> Title: Linode Forum :: OpenVPN client connected to a server while listening to SSH? (at forum.linode.com) 13:46 < sayo-> apparently you only have to set up a couple rules 13:46 < sayo-> cause the incoming connections are forwarded to the vpn 13:46 < hiya> ok 13:46 < hiya> do it 13:46 < sayo-> easy said :P 13:46 < hiya> arcsky, just remove c:\\ 13:46 < arcsky> hiya: done no luck 13:46 < hiya> arcsky, and keep them all in one folder 13:46 < arcsky> its 13:46 < hiya> arcsky, show me windows log 13:47 < hiya> please 13:47 < hiya> I do not folllow 13:47 < arcsky> its empty 13:47 < arcsky> openvpn.log 13:48 < hiya> arcsky, idk its impossible 13:48 < hiya> how do you try to connect? 13:48 < hiya> are all files in config folder? 13:49 < hiya> or only client.conf? 13:49 < arcsky> http://ring0.se/g/f2dfe9e7234dc2fb.png 13:49 < arcsky> yes 13:49 < hiya> what is that? 13:49 < arcsky> all files in the config folder 13:49 < arcsky> ca cert key config log 13:50 < hiya> arcsky, but what client is this? Where did you download it from? 13:50 < hiya> arcsky, Which OS? 13:50 < hiya> Windows 7? 13:50 < arcsky> WIn10 13:51 < arcsky> openvpn website 13:51 < arcsky> some weeks ago 13:51 < hiya> https://openvpn.net/index.php/download/community-downloads.html 13:51 <@vpnHelper> Title: Community Downloads (at openvpn.net) 13:51 < hiya> download from here ^ 13:51 < sayo-> hiya: it did the trick :d 13:51 < sayo-> thank you very much for you help! 13:51 < hiya> sayo-, cool :) 13:51 < sayo-> <3 13:51 < hiya> sayo-, Ok you can hang out in my channel if you like 13:51 < hiya> I invited you 13:51 < sayo-> I'll do! 13:52 < sayo-> oh, you sell vpn? cool :3 13:52 < hiya> sayo-, no we do not sell 13:53 < hiya> we provide to who cannot afford 13:53 < hiya> :) 13:53 < hiya> its donation based not even a nagware 13:53 < arcsky> hiya: ok. after i install it should i start it as admin or not? 13:53 < hiya> arcsky, Done? 13:53 < hiya> arcsky, Start as Admin 13:53 < hiya> sure 13:53 < hiya> and copy all your files to config folder 13:54 < hiya> https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI 13:54 <@vpnHelper> Title: OpenVPN-GUI – OpenVPN Community (at community.openvpn.net) 13:54 < hiya> arcsky, ^ 13:54 < hiya> follow this 13:55 < arcsky> hiya: it doesnt looks like that one 13:56 < arcsky> some years ago it looked like that but not now 13:57 < hiya> arcsky, it would work 13:57 < hiya> try to connect 13:57 < hiya> arcsky, did it work? 13:57 < hiya> Just copy the file to config folder 13:57 < hiya> and client.ovpn would appear in right click menu 13:58 < hiya> and then it would work 13:58 < hiya> :) 13:58 < hiya> works? 13:58 < arcsky> nope 13:58 < hiya> why not? 13:58 < hiya> What is the problem? 13:58 < arcsky> run win openvpn 13:59 < arcsky> its cmd 13:59 < hiya> arcsky, it is GUI! 13:59 < hiya> open as Admin 13:59 < hiya> Do you see a icon in taskbar? 13:59 < arcsky> yes 13:59 < hiya> right click - select Configuration 14:00 < hiya> and it works 14:00 < arcsky> its 14:00 < arcsky> only 14:00 < arcsky> Exit 14:00 < arcsky> and Settings 14:00 < arcsky> http://ring0.se/g/5045d76cef1da92f.png 14:00 < hiya> arcsky, because my sweet friend you didn ot copy all the files inside /config folder in program files 14:00 < hiya> do you see OpenVPN GUI Icon on desktop? 14:01 < hiya> I mean shortcut? 14:01 < arcsky> yes 14:01 < hiya> Can you reach its location? 14:01 < hiya> Right click Open Location or something? 14:01 < hiya> see a config folder? 14:01 < hiya> see? 14:01 < hiya> arcsky, Did it happen? 14:02 < arcsky> sec 14:02 < hiya> arcsky, Hello? 14:02 < hiya> How many secs? 14:02 < hiya> :P 14:02 < arcsky> ok 14:02 < arcsky> its there 14:02 < arcsky> C:\Program Files\OpenVPN\config 14:02 < hiya> what is there? 14:02 < hiya> copy ca.crt 14:03 < hiya> user.crt 14:03 < arcsky> all is there now 14:03 < hiya> user.key 14:03 < hiya> Close and reopen OpenVPN GUI 14:03 < hiya> you would see like in Tutorial 14:03 < hiya> see? 14:03 < hiya> connect? 14:03 < hiya> I hope you removed C:\ 14:03 < hiya> from client.ovpn 14:03 < hiya> if client.conf then rename to client.ovpn 14:04 < hiya> close - reopn OpenVPN GUI and you see it 14:04 < hiya> connect 14:04 < hiya> done? 14:04 < hiya> or not? 14:04 < arcsky> oh lala 14:04 < hiya> works? 14:04 < arcsky> it says connected 14:04 < hiya> dnsleaktest.com 14:04 < hiya> check ^ 14:05 < hiya> What does it say? 14:05 < hiya> if IP is right 14:05 < hiya> then do extended test for dns leaks 14:05 < arcsky> whatismyip gives me not right 14:06 < hiya> dnsleaktest.com 14:06 < hiya> what does it say? 14:06 < hiya> Did you close all the apps 14:06 < hiya> and restart them? 14:06 < hiya> or just started from there only? 14:06 < hiya> close browser - restart 14:07 < hiya> and then check 14:07 < arcsky> mybut in ipconfig 14:07 < arcsky> i cant see the new ip 14:07 < hiya> do not look there 14:07 < hiya> Visit DNSleaktest.com 14:07 < arcsky> or netstat -r 14:07 < hiya> Are you doing what I want? 14:08 < arcsky> i want my windows client to go to my linux openvpn server 14:08 < hiya> ipconfig look for tun0 14:08 < hiya> arcsky, if you check 14:08 < hiya> then it works 14:08 < arcsky> ipconfig /all |find "10." 14:08 < arcsky> dont get any 14:08 < hiya> arcsky, DNSLEAKTEST.com in browser 14:08 < hiya> what does it say/ 14:08 < arcsky> my home ip mate 14:09 < hiya> remote IP correct? 14:09 < hiya> in client.ovpn? 14:09 < hiya> remote 14:09 < hiya> do it 14:09 < hiya> and reconnect 14:12 < hiya> arcsky, ^ 14:12 < _FBi> hello hiya 14:12 < hiya> _FBi, hello 14:12 < _FBi> fighting the good fight? 14:13 < hiya> how can i help you _FBi ? i do not even keep logs 14:13 < _FBi> :P 14:13 < hiya> hows ur business? 14:14 < _FBi> the website is paid for :D 14:14 < arcsky> Sun Jan 31 21:10:32 2016 MANAGEMENT: >STATE:1454271032,WAIT,,, 14:14 < _FBi> arcsky, if you're about to spam, please use a pastebin 14:14 < hiya> arcsky, use management? 14:16 < arcsky> http://ring0.se/g/f8c878fa0dce0599.png 14:17 < arcsky> TLS error 14:18 < _FBi> looks like your TLS failed ;) 14:20 < hiya> arcsky, wait 14:20 < hiya> arcsky, on server 14:20 < hiya> sudo openvpn --version 14:21 < hiya> arcsky, show me your server.conf and client.conf in plain text completely and without error else I cannot help you 14:21 < hiya> sorry 14:21 < hiya> so not use shitty pastebin 14:21 < hiya> go with paste.sh 14:21 < hiya> or something neat 14:21 < hiya> or debian paste 14:21 < arcsky> oke but i do apt-get update / upgrade now 14:22 < hiya> arcsky, wtf? why? 14:22 < _FBi> lol 14:22 < _FBi> <3 14:22 < arcsky> :D 14:22 < hiya> arcsky, Add OpenVPN repo 14:22 < hiya> upgrade to 2.3.10 14:22 < hiya> arcsky, which distro? 14:22 < arcsky> Debian 14:22 < hiya> Jessie? 14:23 < hiya> add OpenVPN repo then 14:23 < arcsky> no sorry this was ubuntu 14:23 < hiya> and upgrade 14:23 < hiya> upgrade to OpenVPN 2.3.10 however you do it 14:23 < hiya> please 14:23 < arcsky> OpenVPN 2.3.2 x86_64-pc-linux-gnu 14:23 < arcsky> ij 14:23 < arcsky> ok* 14:24 < hiya> arcsky, ancient alien version do not use 14:24 < hiya> use latest 14:24 < hiya> upgrade now 14:24 < hiya> arcsky, Ubuntu which one? 14:25 < arcsky> Ubuntu 14.04.3 LTS 14:30 < hiya> arcsky, done? 14:32 < arcsky> with update/upgrade yes. no luck 14:32 < arcsky> wierd it seemes i have openssl issues 14:33 < hiya> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 14:33 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 14:33 < hiya> arcsky, ^ 14:36 < arcsky> : Failed to fetch http://swupdate.openvpn.net/apt/dists//main/binary-amd64/Packages 404 Not Found [IP: 96.44.184.130 80] 14:36 < arcsky> ups 14:36 < hiya> arcsky, replace with trusty 14:37 < arcsky> yes 14:38 < hiya> arcsky, What yes 14:38 < hiya> if you had done then y ou wont' get this error 14:38 < hiya> :( 14:40 < arcsky> i said ups which i mean i found this i had to add my osrelease 14:40 < hiya> ups means whole of it? 14:40 < hiya> when you say ups, I assume all of it? 14:41 < arcsky> same eror 14:41 < arcsky> TLS error 14:42 < hiya> Did you restart the server? 14:42 < hiya> so you upgraded? 14:42 < hiya> and did you restart the OPENVPN server? 14:43 < arcsky> yes 14:43 < arcsky> OpenVPN 2.3.10 x86_64-pc-linux-gnu 14:43 < hiya> cool 14:43 < hiya> now show me your server.conf 14:44 < hiya> and client.conf 14:44 < hiya> in paste.sh 14:44 < hiya> not shitty pastebin you use 14:46 < arcsky> https://paste.sh/Ql9nJTdr#S_kW2XeUQvarzcHFYkhLXL19 14:48 < _FBi> I see your error I think 14:48 < arcsky> let me know 14:48 < _FBi> are you using ns-cert ? 14:49 < hiya> arcsky, comment ns-cert and retry 14:49 < hiya> in client 14:50 < hiya> works? 14:50 < hiya> arcsky, we would have to improve your configurations though 14:50 < arcsky> its buggy client 14:51 < _FBi> nah, don't use ns-cert-type. there's a newer way to do it 14:51 < arcsky> cant re-connect so must kill it and start it 14:51 < hiya> arcsky, I would give you new client/server.conf once you confirm it works 14:51 < _FBi> are you running as admin -- from windows client 14:52 < hiya> arcsky, those would have a lot of things :) 14:52 < arcsky> "arcsky, comment ns-cert and retry" no success 14:53 < hiya> remote-cert-tls server 14:53 < hiya> try this ^ 14:53 < hiya> :) 14:53 < hiya> instead of that 14:53 < hiya> but that should work too 14:54 < _FBi> no encryption is set, either 14:54 < _FBi> *cipher 14:54 < hiya> arcsky, Can you replace whole of your configurations with what I say? 14:54 < hiya> server.conf + client.conf both? 14:55 < arcsky> https://paste.sh/Ql9nJTdr#S_kW2XeUQvarzcHFYkhLXL19 14:55 < _FBi> hiya, sorry for barging in -- it's not helpful with two people screaming commands haha 14:55 < hiya> arcsky, Did you allow 10.8.0.0 in firewall? 14:56 < arcsky> i havent got any ip 14:56 < arcsky> thats a start 14:56 < hiya> arcsky, change that to your previous server 176.x.x.x choice 14:56 < hiya> and restart 14:56 < hiya> and reconnect 14:56 < arcsky> ok 14:57 < hiya> my configuration is too complex for you 14:57 < hiya> :) 14:57 < hiya> arcsky, works? 14:58 < hiya> arcsky, tell me 14:58 < hiya> fast 14:58 < hiya> :) 14:58 < arcsky> no 14:58 < arcsky> i have to tell u 14:58 < hiya> What error? 14:58 < arcsky> 19 jan u helpt me and it worked 14:59 < hiya> arcsky, with what? 14:59 < hiya> Configurations? 14:59 < hiya> arcsky, why did you change it? 14:59 < hiya> arcsky, now we would replace the configurations 14:59 < hiya> ok? 15:00 < hiya> server.conf - coming up? 15:00 < hiya> you ready? 15:00 < arcsky> yes 15:00 < arcsky> it has full access 15:00 < hiya> arcsky, i hope you can handle it 15:00 < hiya> :) 15:00 < arcsky> yes 15:00 < arcsky> ready 15:01 < hiya> it would delete in 5m so copy it fast ok? 15:01 < hiya> :) 15:02 < arcsky> ok 15:02 < arcsky> hurry 15:02 < hiya> https://spit.mixtape.moe/view/raw/9a83040c 15:02 < hiya> arcsky, ^ 15:02 < hiya> :) 15:03 < hiya> replace the dh ca cert key 15:03 < hiya> location 15:03 < arcsky> ok 15:03 < hiya> also replace server 10.x.x. with w/e you used 15:03 < hiya> 17.x.x.x 15:03 < hiya> ok? 15:03 < hiya> when done tell me, I give you client.conf 15:03 < hiya> :) 15:03 < hiya> ok? 15:03 < hiya> :) 15:07 < arcsky> ok 15:08 < hiya> arcsky, What ok? 15:08 < Talltree> where do i define what config file the opednvpn service is going to load? 15:08 < arcsky> im ready for client 15:08 < hiya> Talltree, What do you mean? 15:09 < hiya> arcsky, ok 15:09 < Talltree> when i say service openvpn start 15:09 < Talltree> and then status 15:09 < Talltree> its active exited, because of no config file i suppose 15:10 < Talltree> i dunno where i define the name of the config file he loads by default 15:10 < hiya> https://spit.mixtape.moe/view/raw/e205707d 15:10 < hiya> arcsky, ^ 15:10 < hiya> Talltree, it is regular stuff, it means it is working and is fine 15:10 < hiya> Talltree, look for log file 15:10 < hiya> tail log.file 15:11 < hiya> arcsky, try to connect now with new configurations 15:11 < hiya> first restart server 15:11 < hiya> and tail openvpn.log 15:11 < hiya> if works 15:11 < hiya> and then try to connect client 15:11 < Talltree> why do you recommend restarting the server all time, its linux lol 15:12 < hiya> Talltree, So what? we have to restart still 15:12 < hiya> systemctl restart openvpn 15:12 < Talltree> no, pretty much you dont 15:12 < hiya> no 15:12 < hiya> you do 15:12 < hiya> as per me 15:12 < hiya> opinion may vary though 15:12 < arcsky> no success 15:12 < hiya> arcsky, What error? 15:13 < arcsky> Sun Jan 31 22:09:26 2016 MANAGEMENT: >STATE:1454274566,WAIT, 15:13 < Talltree> i want to see your service uptime if you restart the server after each config :D 15:13 < hiya> arcsky, regen your ca.crt and certs :) something is obviously wrong 15:14 < hiya> Talltree, I do it and it works fine 15:15 < hiya> arcsky, works? 15:20 < arcsky> hiya: Options error: --tls-auth fails with 'ta.key': No such file or directory 15:20 < hiya> arcsky, put # before it in client.conf 15:21 < hiya> works? 15:21 < hiya> try fast 15:21 < arcsky> ok 15:21 < arcsky> now it ask for logins 15:21 < hiya> _FBi, ^ 15:21 < hiya> who the james bond it? 15:21 < hiya> arcsky, put # before two lines 15:21 < hiya> auth-nocache 15:21 < hiya> auth-user-pass 15:22 < hiya> arcsky, ^ 15:22 < hiya> these twoo 15:22 < hiya> and you are fine 15:22 < hiya> in client.conf 15:22 < hiya> fast 15:22 < hiya> fasttttttttttttttttttt 15:22 < hiya> heh 15:22 < hiya> :) 15:22 < hiya> you eat my head too much 15:22 < arcsky> haha 15:22 < arcsky> u like u 15:22 < arcsky> but u havent scoored yet 15:22 < hiya> arcsky, Works? 15:22 < arcsky> nope 15:23 < hiya> wtf now? 15:23 < arcsky> this mangment stuff 15:23 < arcsky> Sun Jan 31 22:20:21 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 15:24 < arcsky> Sun Jan 31 22:20:21 2016 TLS Error: TLS handshake failed 15:25 < hiya> arcsky, sudo openvpn --show-tls 15:25 < hiya> on server 15:25 < arcsky> netstat -atnup | grep 1194 15:25 < arcsky> shows nothing 15:25 < _FBi> is the client windows or *nix ? 15:25 < hiya> arcsky, sudo openvpn --show-tls 15:26 < hiya> on server 15:26 < arcsky> https://paste.sh/RKAWDoz9#J8ywDhxlOwegEtC9SNxvBqkB 15:26 < Talltree> the spam is real, anyway, openvpn --config server.conf works fine, service openvpn start doesnt 15:26 < arcsky> client wino 10 , server ubuntu 15:26 < arcsky> i see in tcpdump server gets the udp traffic on port 1194 15:26 < hiya> arcsky, openvpn --version? 15:27 < hiya> 2.3.10 right? 15:27 < arcsky> OpenVPN 2.3.10 x86_64-pc-linux-gnu 15:27 < arcsky> yes 15:27 < arcsky> should i test to change to other port 15:27 < hiya> arcsky, put # before tls-version-min 1.2 15:27 < arcsky> tcp? 15:27 < hiya> no no 15:27 < arcsky> ok 15:27 < hiya> no tcp 15:27 < hiya> it should work 15:27 < _FBi> arcsky, right click in windows, and run OpenVPN as admin 15:27 < hiya> and restart server 15:28 < arcsky> its as admin 15:29 < hiya> arcsky, works? 15:29 < arcsky> nope 15:29 < hiya> what error? 15:29 < arcsky> Sun Jan 31 22:26:16 2016 MANAGEMENT: >STATE:1454275576,WAIT,,, 15:29 < arcsky> and soon the tls error come 15:29 < hiya> arcsky, Did you allow port 1194 udp in firewall? 15:29 < hiya> incoming? 15:30 < arcsky> yep 15:30 < _FBi> iptables -L 15:30 < hiya> ^ 15:30 < _FBi> and its not iptables6 is it? 15:30 < hiya> paste.sh it 15:31 < arcsky> both 15:32 < hiya> arcsky, Tail openvpn.log 15:32 < hiya> on server ^ 15:32 < hiya> arcsky, did you replace remote 15:32 < hiya> with IP of your server? 15:32 < arcsky> yes 15:32 < hiya> or not? 15:32 < arcsky> no host 15:32 < hiya> IP or domain? 15:32 < arcsky> domain 15:32 < hiya> WTF 15:32 < arcsky> :X 15:32 < hiya> IP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11 15:32 < arcsky> sorry cheif 15:32 < hiya> Also do not remote the port 15:33 < hiya> remote IP 1194 15:33 < hiya> also check 15:33 < hiya> openvpn.log on server 15:33 < hiya> to see if client is connecting or not 15:34 < hiya> arcsky, works? 15:34 < arcsky> nope 15:34 < hiya> Don't say no 15:34 < hiya> lol 15:34 < arcsky> ok 15:34 < hiya> arcsky, server 15:34 < hiya> tail openvpn.log 15:34 < arcsky> ok 15:34 < hiya> cd /etc/openvpn/ <-- first 15:35 < hiya> Do you see any signs of client? 15:35 < hiya> What error? 15:35 < arcsky> https://paste.sh/E8accrlG#mEkzeyPWEZ9LXCZGt9LbE0xG 15:35 < hiya> Paste.sh it 15:36 < hiya> arcsky, bro WTF WTF WTF WTF 15:36 < hiya> arcsky, you are not runnig OpenVPN server as service? 15:36 < hiya> it says it is closed on user action 15:36 < hiya> CTRL + C 15:37 < hiya> or something 15:37 < arcsky> i start it with /etc/init.d/openvpn start 15:37 < hiya> arcsky, ok? 15:37 < hiya> try 15:37 < hiya> systemctl start openvpn 15:37 < arcsky> https://paste.sh/cjg_0vIB#5qZuowH2oQj9gEw-0bxQlwja 15:38 < hiya> tail openvpn.log 15:38 < hiya> ? 15:38 < hiya> What does it say? 15:38 < arcsky> it shows old stuff from 22:01 15:38 < arcsky> its 22:35 here 15:39 < hiya> IGTERM[hard,] received, process? 15:40 < arcsky> mate 15:40 < arcsky> it doesnt start i guess 15:40 < arcsky> ps aux | grep openvpn isnt there 15:40 < hiya> yep 15:40 < hiya> it is interrupting 15:40 < hiya> hence it won't work 15:40 < arcsky> what i can i do? 15:40 < hiya> program is on server side 15:41 < hiya> arcsky, restart your server completely 15:41 < hiya> reboot the VPS 15:44 < hiya> _FBi, ^ 15:45 < hiya> I think he is ssh into machine 15:45 < _FBi> I think I don't care about his problem :/ 15:45 < hiya> lol 15:45 < hiya> :) 15:45 < hiya> Sorry 15:46 < _FBi> I appreciate you trying though 15:46 < _FBi> ovpn in it's simplest form is very easy to get going. Furthermore, someone spent A LOT of time writing that HOWTO 15:47 < _FBi> there's no reason he should be experiencing the problems he's having, unless he A) followed someone elses HOWTO, B) Should have someone else do it for him 15:47 < _FBi> even when spoon feed .ovpn files he still has it messed up 15:48 < hiya> but I just gave him my conf files 15:48 < hiya> :) 15:48 < hiya> what else could be the problem 15:48 < hiya> he is using Ubuntu I hate it 15:48 < hiya> I love Debian :) 15:49 < hiya> works? 15:49 < arcsky> nope 15:49 < hiya> tail openvpn.log? 15:49 < arcsky> * Starting virtual private network daemon(s)... * Autostarting VPN 'server' 15:50 < arcsky> log is old, not after the reboot 15:50 < hiya> check again then 15:53 < hiya> arcsky, works? 15:54 < arcsky> nope 15:55 < hiya> lol 15:55 < hiya> arcsky, Redo it 15:55 < hiya> whole of it 15:55 < hiya> reinstall Ubuntu and redo 15:55 < arcsky> hehe 16:10 < lupine> I'm running an openvpn tunnel, and I'm seeing fairly frequent pauses in traffic. I think it's related to a pasrticular key session expiring and it taking a while for a new one to be started. I must be missing some setting? this can't be normal 16:10 < lupine> I see TLS: tls_process: killed expiring key 16:10 < lupine> followed by the normal verify stuff ~20 seconds later 16:29 < arcsky> hiya: hoho 16:47 < arcsky> i did try with my config from the beging of this evening it worked. wierd huh!? 16:50 < arcsky> i want to know why. and also i cant go trough intenet i have iptables nat rule + forawrding on 17:14 < lupine> hmm, according to the internet that's meant to be a transparent thing 17:14 < lupine> maybe it's an entropy problem 18:40 < lupine> is there a sensible way to calculate about how many bytes of entropy the rekeying would take? 18:43 < lupine> polling entropy availability numbers during a rekeying doesn't seem to show problems, but I'm not sure I trust it 23:27 < hiya> hi 23:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 23:51 -!- mode/#openvpn [+o dazo] by ChanServ 23:52 -!- Netsplit *.net <-> *.split quits: @syzzer, @dazo_afk 23:53 -!- cirdan_ is now known as cirdan 23:53 -!- x5eb is now known as _0x5eb_ --- Day changed Mon Feb 01 2016 00:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 00:03 -!- mode/#openvpn [+o syzzer] by ChanServ 01:41 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 02:09 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 02:09 -!- mode/#openvpn [+v s7r] by ChanServ 02:09 -!- s7r_ [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds] 02:12 -!- ^cj^ is now known as ^CJ^ 02:20 < arcsky> hiya: alive? 03:13 < Talltree> ecrist can you help me maybe once more? 03:23 < arcsky> push "redirect-gateway def1" 03:23 < arcsky> isnt this the solution for sending the default route to the client? 03:26 < arcsky> 0.0.0.0 0.0.0.0 10.68.14.253 10.68.14.190 10 03:26 < arcsky> 0.0.0.0 128.0.0.0 172.16.0.5 172.16.0.6 20 03:32 -!- ^CJ^ is now known as ^cj^ 03:53 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 03:59 -!- eliasp_ is now known as eliasp 04:00 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 04:00 -!- mode/#openvpn [+o dazo] by ChanServ 04:57 < hiya> arcsky, sup? 04:58 < hiya> arcsky, add dhcp-bypass too if you have Windows clients 04:59 < hiya> arcsky, it works because you were doing something terrible wrong and this time you did it right :) 05:20 < TheAlien> hey folks :) i fixed my main issue. but im still wondering about this ipp.txt file - get the idea behind it, clients listed will get the same ip, but then why does it list me with a .4 address while i always get .6? 05:21 < arcsky> oh hiya alive weeiiihhoo 05:25 < arcsky> hiya: still doesnt work 05:26 < arcsky> https://paste.sh/lZCdZ_92#ir5-zvRhFnpOkyMVlfEXginc 05:35 < hiya> arcsky, get a baseball bat and beat me up now, I got no energy left to assit you, give me access Iwould setup for you 05:36 < hiya> is all I can say 05:36 < arcsky> take a coffee? 05:39 < hiya> arcsky, no thanks I do not want to help without you provide me 100% undisputed access, so that I can setup without any hassle or continuous harassment, it works and it works awesome but you are making it harsh 05:39 < hiya> or get a pro like OPs here to do it for you, even _FBi does it but expenses might be too high 05:43 < arcsky> 0.0.0.0 128.0.0.0 172.16.0.5 172.16.0.6 20 05:57 < hiya> How effective is tls-auth static key ddos mitigation? 06:12 < SAKUJ0> Hey there. Something strange is happening. We have been running an OpenVPN server at work for the last few months and it was working rather well (SMB / VNC / RDP / HTTP pretty much). We replaced our DHCP server and gateway server and had to shrink the network a bit. 06:13 < SAKUJ0> Now clients can ping any host on the network as before and everything works, just our web servers are causing issues 06:13 < SAKUJ0> I can reach them from the network but not via VPN (which is something I never experienced. For non-broadcast traffic, connecting to the OpenVPN server was as reliable as attaching to a switch) 06:14 < wodim> hello, isn't there a way to run openvpn without tun? 06:14 < SAKUJ0> wodim, yes, but not on windows clients if that is what you are asking 06:14 < SAKUJ0> well my bad 06:14 < SAKUJ0> windows uses tap ignore that :p 06:14 < SAKUJ0> yeah there is tap wodim 06:14 < wodim> and with no tap 06:14 < wodim> I want to run it on a server with no tun/tap. 06:16 < SAKUJ0> wodim, I am not very knowledgeable and only a user. But judging from the documentation the dev option seems to be mandatory and it seems it has only the two options tun and tap 06:17 < wodim> oh, that's too bad 06:17 < SAKUJ0> oh there is another option "null" 06:19 < SAKUJ0> But pretty sure it's not what you are after :p 06:19 < SAKUJ0> "You must use either tun devices on both ends of the connection or tap devices on both ends. You cannot mix them, as they represent different underlying network layers." 06:36 <@dazo> wodim: Windows TAP driver supports tun mode 06:37 < wodim> dazo: no offence but I don't understand what does Windows have to be with what I asked 06:37 < wodim> have to do* 06:38 <@dazo> wodim: I just saw windows tap being mentioned in the discussion with SAKUJ0 06:38 < wodim> I never mentioned Windows 06:38 <@dazo> wodim: but you do need to use either tun or tap. 06:38 < wodim> it's a Linux server 06:39 < wodim> oh 06:39 < wodim> too bad 06:39 <@dazo> what would you want to use instead? 06:39 < wodim> I don't know what tun or tap do, so I don't know if they are actually mandatory 06:39 < wodim> that's why I asked 06:39 <@dazo> I see 06:40 <@dazo> tun/tap are basically the working mode of the virtual network interface 06:40 <@dazo> you do need a tun or tap device, as that is where you route traffic in and out of the VPN tunnel 06:40 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting 06:41 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 06:41 <@dazo> have a look at this simple ascii art drawing 06:42 < wodim> I wonder if it would be possible to "emulate" tun in userland 06:42 < wodim> http://code.gerade.org/tunemu/ 06:42 <@vpnHelper> Title: tunemu - Tun device emulation for Darwin (at code.gerade.org) 06:42 < wodim> something like this, uh 06:42 <@dazo> !goal 06:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:43 < wodim> aha 06:47 < BtbN> So you want a VPN without any network traffic flowing through it? Seems kinda pointless 06:48 < wodim> I'm not sure you're reading what I say 06:49 < wodim> I don't have tun/tap with this kernel, so I'm wondering if whatever tun/tap does can be emulated by some software running in userland 06:49 < wodim> I've found that but it's for OS X, and there probably is no similar software for linux, because linux already has tun/tap in the kernel after all 06:49 <@dazo> wodim: running on some openVZ VPS host? 06:50 < wodim> yeah 06:50 <@dazo> wodim: you need to ask your VPS provider to enable the tun module 06:50 < wodim> I'd rather not pay for that 06:50 < wodim> hence my question 06:50 < wodim> I do ssh tunnelling sometimes but it's slow as hell, because of tcp over tcp I assume 06:51 < arcsky> hi vpnHelper 06:51 <@dazo> wodim: then move to a more decent VPS ;-) Many KVM or Xen based VPS solutions which are affordable and gives you proper full root access to your VM 06:52 < arcsky> push "redirect-gateway bypass-dhcp" 06:52 <@dazo> !vpnHelper 06:52 <@vpnHelper> "vpnHelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 06:52 < arcsky> i have that line in my server.conf but i still cant go via client to internet over that vpn 06:53 <@dazo> !redirect 06:53 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:53 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 06:54 < SAKUJ0> wodim, I mixed things up above sorry for the windows confusion 06:58 < arcsky> when you say ping vpn server is that the local or wan ip? 07:08 -!- kloeri_ is now known as kloeri 07:18 <@dazo> arcsky: that's the VPN IP address of the VPN server 07:23 < arcsky> ok ur chart say enable it. but its enable. 07:23 < arcsky> server interface has tun0 172.16.0.1 ptp 172.16.0.2 and my client got 172.16.0.6 07:31 <@dazo> !/30 07:31 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 07:39 <@ecrist> !nat 07:39 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 07:50 < NetworkingPro> hey everyone.. is there a way to view the traffic from an openvpn connection decrypted in Wireshark? 07:50 < NetworkingPro> I own both sides of the covnersation (Certs and all) and need to troubleshoot connectivity. 07:50 <@ecrist> you should be able to sniff the tun0 interface 07:50 < NetworkingPro> s/covnersation/conversation 07:52 < NetworkingPro> you 07:53 < NetworkingPro> ecrist: the host is embedded with no tcpdump. 07:53 < NetworkingPro> So Im trying to figure out how to make it happen otherwise. 07:53 <@ecrist> read the logs? 07:53 <@ecrist> set verb to 5 or so 07:55 < Serus> hi 07:55 < Serus> I've setup openvpn on my server using the instructions on the arch linux wiki and setup the client configuration on windows 07:56 < Serus> I can connect and ping the server via the vpn connection 07:56 < Serus> but I'm trying to route my traffic over the connection 07:56 < Serus> however I've not been able to get that quite working 07:57 < NetworkingPro> please send me your server config. 07:57 < NetworkingPro> are you using tap or tun? 07:57 < NetworkingPro> (please say tun) 07:57 < Serus> tup 07:57 < Serus> tun* 07:58 < NetworkingPro> Serus: the easiest way is to push the routes and gateway to your device remotely via the server config. 07:59 < Serus> http://paste.pound-python.org/show/UOuuiF7EnewDYWtvfLMU/ 07:59 < NetworkingPro> ex: push "route 172.0.0.1 255.255.255.0" 07:59 < NetworkingPro> https://www.irccloud.com/pastebin/S5SwhIUY/ 07:59 < NetworkingPro> make use of that 07:59 < Serus> it's pretty much the default config 07:59 < NetworkingPro> theres your routes 08:00 < Serus> do those IPs matter? 08:01 < Serus> as in, do I need to change those LAN ips? 08:01 < Serus> or can I leave them as is? 08:01 < arcsky> !topology 08:01 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 08:03 <@dazo> NetworkingPro: you can add 'iptables -I {INPUT,FORWARD,OUTPUT} -m conntrack --ctstate NEW -j LOG' on those embedded devices to see what happens ... might want to narrow it in more with IP addresses if you have more clients being connected right now 08:03 <@dazo> with that iptables log line, you'll find the "dump" in 'dmesg' 08:03 < NetworkingPro> nice dazo thanks! 08:03 < NetworkingPro> ill give it a try 08:03 < arcsky> dazo: my config; https://paste.sh/sD6s4J55#Z_BUwo_5uEOz_qt2-EsxXNOl 08:05 < Serus> well, I'll be back later 08:05 < Serus> I'll try to troubleshoot it when I'm back 08:09 < SCHAAP137> yey, finally succeeded in cross-compiling it for Win64 with LibreSSL 08:09 < SCHAAP137> with the generic build system 08:09 < SCHAAP137> needed some changes in both build.vars and build itself 08:11 < SAKUJ0> Holy shit I found it 08:11 < SAKUJ0> "Note: If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work." 08:14 < SCHAAP137> i have a question; when creating a .patch file to place in openvpn-build/generic/patches, what should be the upper level dir mentioned in the patch file? 08:15 < SCHAAP137> i see the build script is doing a patch -p1, but to me it's not clear from where 08:16 < SCHAAP137> anyone have an example patch maybe, for the generic build system? 08:22 < SCHAAP137> ok never mind, fixed 08:23 < hiya> !security 08:23 <@vpnHelper> "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 08:24 < hiya> !pki 08:24 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert) or (#2) !certman for various PKI management tools or (#3) see !intro-to-pki 08:25 < hiya> !certman 08:25 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online 08:25 < hiya> !xca 08:25 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 08:26 <@ecrist> !factoids 08:26 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 08:26 <@ecrist> hiya: that page is easier, and you can search with a browser 08:28 < hiya> ecrist, ok thanks 08:31 < hiya> https://www.youtube.com/watch?v=0Veqz8W98iA 08:31 < hiya> lol 08:33 < SCHAAP137> Does anyone have an example patch file to use in the openvpn-build system? The documentation doesn't provide any examples. 08:33 < SCHAAP137> I made one but it's not being applied, I think I' 08:33 < SCHAAP137> m missing something here 08:35 < SCHAAP137> doesn't matter what it patches, just a functioning example for openvpn-build/generic/patches 08:38 <@ecrist> SCHAAP137: if you're already in the code enough to write patches, you might as well read the code in the build scripts to figure that out on your own. 08:40 < SCHAAP137> I've tried, but it's quite unclear, that's why tried to ask here 08:41 < SCHAAP137> now i just copy the changed file to its proper location when the build starts, as a workaround 08:43 < SCHAAP137> just gambling with different patch levels / paths in the patch file 08:45 < hiya> ecrist, https://spit.mixtape.moe/view/raw/acbcf414 <-- Do you think this patch would work for OpenVPN 2.3.10? 08:50 < SCHAAP137> If anyone happens to know where I can find a working example patch file, made to be placed in openvpn-build/generic/patches, please let me know. 08:50 < SCHAAP137> I've tried to find it through the OpeNVPN website, and Google, without any luck 09:02 < SCHAAP137> the documentation could improve on this particular aspect 09:03 < SCHAAP137> it's just not described anywhere how to use this patch folder, and my seemingly proper patch is not being applied. 09:04 < SCHAAP137> if anyone could shed some light on this, i would greatly appreciate it. 09:11 < SCHAAP137> ecrist, could I ask you for some pointers, or a direction in which to search? How can i find out how it works? 09:14 <@ecrist> SCHAAP137: do you have a copy of the entire openvpn source? 09:14 <@ecrist> take a look in CONTRIBUTING 09:15 <@ecrist> I don't see a generic/patches path in the openvpn source 09:15 <@ecrist> or see it mentioned anywhere in the source. 09:15 < SCHAAP137> ecrist: i'm using the openvpn-build system, not the normal source 09:16 <@ecrist> well, you're already off the beaten path, then. 09:16 < SAKUJ0> What does this mean when it comes to Fragment / MSS? http://hastebin.com/cayoreqiso.avrasm 09:16 <@vpnHelper> Title: hastebin (at hastebin.com) 09:16 < SCHAAP137> ecrist: why is that? 09:17 < SAKUJ0> I have noticed that pings, dns, smb etc. work via OpenVPN and UDP. However, accessing the site's webservers does not. 09:19 < SCHAAP137> i'll try rephrasing my question more accurately in #openvpn-devel, thanks ecrist 09:32 -!- _KaszpiR__ is now known as _KaszpiR_ 09:46 < hiya> _FBi, hey 09:55 < adac> Guys, what do I need to set so that not the whole traffic goes via VPN but only the one that really requests a VPN host? 09:57 <@ecrist> don't use !def1 09:57 <@ecrist> !def1 09:57 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 11:40 -!- dazo is now known as dazo_afk 11:46 -!- moviuro_ is now known as moviuro 13:07 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn 13:15 < janjust> !ovpnuke 13:15 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 13:21 -!- janjust [~janjust@openvpn/community/support/janjust] has left #openvpn ["Leaving"] 13:34 < hiya> Does compression compresses a lot? 14:24 < Talltree> ecrist any idea why the service doesnt load the correct config but if i start it from the etc/openvpn folder with openvpn --config server.conf it works perfercly fine? 14:46 <@ecrist> Talltree: how are you starting it if not from the command line? 14:46 <@ecrist> where is the service expecting to find the configs? 14:47 < Talltree> service openvpn start 14:47 < Talltree> starts _something_ 14:48 < Talltree> there is a init.d file for openvpn too 14:48 < Talltree> with CONFIG_DIR=/etc/openvpn 14:48 <@ecrist> is that where your configs are? 14:49 < Talltree> yes, but i still cant connect to it 14:49 < Talltree> if i start it via openvpn --config server.conf it works flawless 14:49 < Talltree> also, service openvpn status says exited 14:50 < Talltree> i cant find a log of that, nothing shows what it did 14:50 < Talltree> and google didnt help either... 14:50 <@ecrist> Talltree: You'll have to talk to the package maintainer for your OS on that 14:50 <@ecrist> our official stance for support is we only recognize the command line as you've used. 14:50 <@ecrist> !init 14:51 <@ecrist> !factoids 14:51 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:51 < Talltree> is there a -d mode? 14:51 <@ecrist> !launch 14:51 <@vpnHelper> "launch" is (#1) Problems starting OpenVPN with a service or init wrapper? Run it directly instead to debug, like this: openvpn --config /path/to/openvpn.conf or (#2) Then, once you get that working, feel free to integrate this into your init per your distro's documentation 14:52 < Talltree> what was the next version of initd again 14:52 <@ecrist> systemd 14:52 < Talltree> i heard there was some replacement going on 14:52 < Talltree> thanks 14:52 <@ecrist> it sucks 14:52 <@ecrist> I'm very much not a fan. 14:53 < Talltree> there doesnt appear to be a config for openvpn for it anyway on my server 14:53 < Talltree> so i guess its still init.d :D 14:54 <@ecrist> Talltree: what OS? 14:54 < Talltree> debian 8.2, thats jessie afaik 14:54 <@ecrist> mattock: aren't you the debian package maintainer? 14:55 < Talltree> 2.3.4-5 deb8u1 15:01 <@mattock> ecrist: yes, for the OpenVPN project's packages 15:02 <@mattock> the 2.3.4-5 version is not maintained by me, though 15:02 * Talltree will cry himself to sleep tonight 15:02 <@mattock> that's the default package in Debian Jessie afaicr 15:02 < Talltree> it is 15:02 < Talltree> allright 15:02 < Talltree> everything ive done so far 15:02 < Talltree> seems terrible wrong 15:02 < Talltree> since you are the right person it seems 15:02 <@mattock> so what is the problem exactly? 15:03 < Talltree> if i use service openvpn start 15:03 < Talltree> the server doesnt start or starts and stops for some reason, i cant find a log 15:03 <@mattock> don't :) 15:03 <@mattock> do you have a config file in place? 15:03 <@mattock> openvpn config I mean 15:03 < Talltree> if i use openvpn --config server.conf it works perfectly fine 15:03 < Talltree> yeah under /etc/openvpn 15:03 <@mattock> do "systemctl start openvpn@ 15:04 <@mattock> for example: systemctl start openvpn@mycompany 15:04 <@mattock> if the config file is called "mycompany.conf" 15:05 < Talltree> can i swear in this channel? 15:05 < Talltree> w/e f... its working 15:05 < Talltree> why was that so hard, i googled my ass off feeling like a complete idiot 15:05 <@mattock> let me give you another hint, just a sec 15:05 < Talltree> so many discussions of problems and stuff... 15:06 < Talltree> systemctl is system.d 15:06 < Talltree> not init.d 15:06 < Talltree> so... i guess that was the problem... 15:07 <@mattock> yeah 15:07 < Talltree> thats not documented at all 15:08 < Talltree> i guess normal ppl use openvpn that actually know what they are dojn g 15:08 <@mattock> ok, so these may be of interest to you: 15:08 <@mattock> https://bugzilla.redhat.com/show_bug.cgi?id=746472 15:08 <@mattock> https://ask.fedoraproject.org/en/question/23085/how-to-start-openvpn-service-at-boot-time 15:08 <@vpnHelper> Title: Bug 746472 Openvpn service management broken (at bugzilla.redhat.com) 15:08 <@mattock> basically to make a specific connection autostart on boot you need to play symlink tricks 15:08 < Talltree> fedora etc isnt compatible with debians isnt it? 15:08 < Talltree> at least that was my info 15:08 <@mattock> well, as you said, systemd is system.d, so they're fairly close :) 15:09 <@mattock> I use Fedora as well as Debian 15:09 < Talltree> i am a noob, switched from ubuntu to debian since ubuntu seemed just too, well, big? 15:09 <@mattock> the above info applies to Debian Jessie as well 15:09 < Talltree> bookmarked, will look at both tomorow since its 10 am 15:09 <@mattock> I switched from Ubuntu 14.04 to Fedora 21 (now at 23) and I love Fedora 15:09 < Talltree> i really appreciate the help,. thanks 15:10 < Talltree> *pm 15:10 <@mattock> no problem, I got bit by systemd myself, so glad to be of assistance 15:10 <@mattock> (11:07 PM here, got to hit the sack) 15:10 < Talltree> never liked ubuntu desktop, too much "common user" :D 15:10 < Talltree> i dont know how to explain it 15:10 <@mattock> I get it 15:10 < Talltree> but i dont like being packed full of programs that i dont like 15:11 <@mattock> ok, talk to you later! 15:11 < Talltree> good night 15:11 <@mattock> good night! 15:17 < hiya> I am having a strange issue, https://spit.mixtape.moe/view/raw/eb5067bf <-- see this I use source and destination both, because if I use source than only uploads from client as being counted on server, if I use destination then only downloads are being counted, my question is now to make them under one rule such that when total uses upload+download or any reach 1024 bytes it should stop client's access. 15:23 < DrManhattan> I have a VPN tunnel set up to PIA, but when the VPN link drops the tunnel forwards the traffic to the local network. How can I prevent this behavior? 15:30 < hiya> DrManhattan, which OS? 17:03 < cwage> "The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config" 17:03 < cwage> am i interpreting this correctly to mean that you can specify an entirely different config based on client-config-dir? 17:17 < cwage> nevermind, guess not 17:55 < DrManhattan> hiya, debian wheezy 17:55 < DrManhattan> sorry for the lag I am at work 18:00 <@Eugene> DrManhattan - firewall rules. 18:00 <@Eugene> Combination of -s/-d and -i/-o will do the trick nicely 18:00 <@Eugene> (as iptables filters) 18:09 < DrManhattan> Eugene, I can use the firewall? Blacklist all traffic on eth0 except VPN? 18:09 < DrManhattan> thank you, I don't know why I didn't think about doing it like that 18:09 <@Eugene> I don't know what your interfaces look like, so I couldn't tell you what to block where 18:10 <@Eugene> Generally speaking, you only allow traffic out an interface that is destined for the right address 18:10 <@Eugene> And then block the rest 18:10 <@Eugene> But be careful, heh 18:11 < derekv> what's a good practice for making changes to the openvpn connection of a remote client where you need said connection to access the client, and physical access to said client is inconvenient at best 18:14 <@Eugene> Don't. 18:14 < derekv> lol 18:14 < derekv> I might have to =] 18:14 <@Eugene> If that's not viable, set up a SSH backdoor and implement strong change controls and monitoring 18:15 <@Eugene> Minimize the number of configurables on the client end and make sure the service will auto-restart on failure 18:15 < derekv> true... I'm thinking along the lines of some sort of auto-restart (which it will have), but have it fail back to the old config 18:16 <@Eugene> '--resolv-retry infinite' and using a DNS name for --remote will be a good start 18:47 < Lope> `openvpn --config foo.conf --verb 4` pauses for a few seconds, then exits without saying anything at all? 18:48 < Lope> oops, my conf file said verb 0 18:56 < Lope> had to also remove the log and mute options. 18:58 < DrManhattan> Yeah, if I could open up a VNC backdoor to a VPN client i'd be stoked, but after I connect to the VPN my routes are rewritten and if I change them, the VPN stops working. 18:59 < DrManhattan> So far the only way I've been able to accomplish what I want is to use a 2009 era macbook, which allows VNC connections AND connects to the VPN 19:38 < grkblood> is there anyway to check if openvpn is actually connected to the vpn without curling a website that responds with your ip address? 19:38 < grkblood> ive tried checking the status file every second bu nothing in there updates reliably enough to be used 20:04 < ArthropodOfDoom> Hi, I'm having some trouble getting TLS-authed VPN service from my laptop to an advancedtomato router. I've already looked around quite a bit, and have a functioning static-key connection between two other routers that bridges them for my own purposes. What do you need so I can get some help figuring out my problem? 20:44 < ArthropodOfDoom> !ovpnuke 20:44 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 20:45 < ArthropodOfDoom> !poodle 20:45 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites --- Day changed Tue Feb 02 2016 02:27 < Serus> hello 02:28 < Serus> can anybody point me to an up to date guide on how to setup full network routing over openvpn on windows? the server is on linux 02:29 < Serus> The network is forced as a public network on windows, which has to be set to either work or home according to google 02:58 -!- phreakocious_ is now known as phreakocious 03:03 < ponky> hello. anyone running openvpn on iOS? i'm having a problem: OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 - Certifcate verification failed, e.g. CRL, CA or signature check failed 03:03 < ponky> server is on a mikrotik router. there's around 50 vpns connected to that server, but iOS clients will not connect 03:03 < ponky> if i remove "require-client-certificate", all clients connect just fine 03:03 < ponky> if require-client-certificate is enabled, iOS clients will not connect 03:05 < ponky> VERIFY FAIL CERT_NOT_TRUSTED: depth=0. iirc there was a bug with length 0 earlier but it was fixed? 03:06 < ponky> someone else has posted more information about this: https://forums.openvpn.net/topic17049.html 03:06 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect iOS 1.0.5 broken: Cert verify fails : OpenVPN Connect (iOS) (at forums.openvpn.net) 03:10 < ponky> basic constraints are set 03:15 < ponky> and yes, it's marked as critical: basicConstraints = critical,CA:true 03:29 < hiya> Did anyone see my iptables thing? 03:36 < ponky> hmm. i managed to fix the certificate thing. now it's failing with "TCP recv EOF, Transport Error: Trnsport error on 'x': NETWORK_EOF_ERROR" 03:54 < albercuba> Hello everyone, I am having a problem making my clients route all traffic via the openvpn server. Can someone take a look at this and tell me if it is correct? --> https://paste.ee/p/1Xklx 04:29 < BtbN> Is there still no redirect-gateway for IPv6? 04:46 < albercuba> BtbN, do you have redirect gateway working on ipv4? 04:46 < BtbN> sure 04:46 < albercuba> tun or tap? 04:46 < BtbN> But there is no such thing for IPv6, and just pushing ::/0 would kill the route to the server. 04:47 < BtbN> Why would that matter? 04:47 < albercuba> i do not get it working 04:47 < BtbN> Your firewall and NAT is setup correctly? 04:47 < albercuba> can i see your server.conf and client conf file section for redirect-gateway? 04:47 < albercuba> I thin so 04:47 < BtbN> No server config, just a plain redirect-gateway def1 in the client. 04:47 < albercuba> I think so 04:48 < BtbN> If it doesn't work, you have a firewall/networking problem. 04:48 < albercuba> BtbN, so no redirect-gateway on the server 04:48 < BtbN> Why would the server want to redirect its gateway? And I don't push anything. 04:48 < albercuba> let me try 04:48 < albercuba> :q! 04:55 < albercuba> BtbN, have you seen this error while configuring redirect? --> https://paste.ee/p/Z0ztU 04:55 < BtbN> looks like Windows. 04:56 < albercuba> yes, that client is in windows 04:59 < albercuba> a wait, it could be a permissions prob 06:13 < Serus> can anybody help me with redirecting my windows client over the VPN network? 06:13 < Serus> I am having genuine trouble getting this to work 06:15 < hiya> Serus, what is the issue? 06:15 < hiya> Serus, I need server client both logs 06:16 < Serus> I'm trying to route the network from the windows client over the VPN connection 06:16 < Serus> Is the server log the output? 06:16 < hiya> so you have a VPN server / service you want to connect to? 06:16 < Serus> I have setup openvpn on my server 06:17 < hiya> ok then connect to it? 06:17 < hiya> Which Windows application are you using? 06:17 < Serus> and I want to route the network of the windows client over the VPN connection 06:17 < Serus> the openvpn client for windows 06:18 < hiya> Can you show me the logs? 06:18 < hiya> for that Windows client? 06:18 < Serus> https://openvpn.net/index.php/open-source/downloads.html the 64 bit installer from here for windows vista and later 06:18 <@vpnHelper> Title: Downloads (at openvpn.net) 06:19 < hiya> k 06:19 < hiya> logs? 06:19 < Serus> coming up 06:19 < Serus> http://pastebin.com/wWg39zjx 06:19 < Serus> That's the client log 06:20 < hiya> so what is the problem? 06:20 < hiya> it seems to work? 06:20 < Serus> I can ping to the server just fine, that's not the problem 06:21 < Serus> I just want my traffic to route via my server 06:21 < hiya> traceroute youtube.com 06:21 < Serus> that doesn't work here on school, sadly 06:21 < hiya> goes it go via 10.8.0.1 06:21 < hiya> does* 06:21 < hiya> What does not work? 06:22 < Serus> traceroute, they disable it somehow 06:22 < Serus> the reason I want to use the VPN connection is so I can at least SSH properly 06:22 < Serus> since literally every port but 80 and 443 are closed 06:23 < Serus> can't FTP, SSH or do anything :/ 06:23 < Serus> either way, going to a site like canyouseeme.org still reports the school IP 06:23 < Serus> while to my knowledge it should report the server's IP, am I correct? 06:24 < BtbN> Well, if you still use your school DNS, that's not too spurpsrising. 06:24 < hiya> port 80 / 443 udp are blocked? 06:24 < BtbN> And no, it should report the actual IP 06:24 < BtbN> unless you are doing some proxy stuff. 06:24 < Serus> not sure about 80, but 443 won't let me go over UDP 06:25 < Serus> ah, okay 06:25 < BtbN> If your school enforces a proxy, you're out of luck anyway. 06:25 < hiya> I think you can use a port 443 VPN 06:26 < Serus> so does using openvpn help me to circumvent the port blocking? I know some classmates are using services like ping buster to be able to work on their assigments normally 06:26 < BtbN> Not if the school is using a transparent proxy with MITM 06:26 < hiya> Serus, I helped many university guys to get out of the firewall, over port 443 06:26 < hiya> and they are enjoying internet 06:26 < Serus> But services like ping buster are essentially a VPN, right? 06:26 < hiya> I just suggest them to use dnscrypt too 06:27 < hiya> yes 06:27 < Serus> hiya: that's cool 06:27 < Serus> well, then I think this should be able to work 06:27 < hiya> ok 06:33 < albercuba> Hello everyone. I am having a problem and I do not know why. I have several vlans 2 of them are vlan101 and vlan50. Via my firewall rules Specific IPs can access the vlan50 from vlan101. But I have an OpenVPN server in vlan101 using tap, so when my clients connect, they look like they are in vlan101 and they get an IP in that range. The problem is that even when I set the firewall rules, my vpn clients cannot access vlan50. If I run a 06:33 < albercuba> ping, it looks like it comes from the OpenVPN server IP's and I need it to come from the client's IP 06:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 06:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 06:42 -!- mode/#openvpn [+v s7r] by ChanServ 07:28 < waressearcher2> is there openvpn for windows 2000, windows 98 or windows XP ? 07:28 < debdog> WinXP, at least 07:29 < waressearcher2> is it possible to run it in cygwin ? 07:29 < debdog> dunno 07:29 < debdog> http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I002-x86_64.exe the XP installer 07:30 < debdog> oops, that's the 64bit one 07:30 < debdog> http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I002-i686.exe 07:30 < waressearcher2> but https://en.wikipedia.org/wiki/OpenVPN says: "Platform Windows (Vista or later)" so there is no official "windows XP" version ? 07:30 <@vpnHelper> Title: OpenVPN - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:30 < debdog> Installer (32-bit), Windows XP 07:30 < debdog> https://openvpn.net/index.php/download/community-downloads.html 07:30 <@vpnHelper> Title: Community Downloads (at openvpn.net) 07:31 < waressearcher2> so wikipedia is inconsistent 07:31 < debdog> what do you know 08:04 < Talltree> there is really no way to connect to an openvpn server without any admin rights? 08:06 < BtbN> Well, connecting to it isn't the issue. 08:06 < BtbN> Doing something usefull with the VPN is. 08:08 < Talltree> my work got a really bad setup, i dunno what they log, i dont trust them, its like a school a bit, those pc's here even got viruses and are on xp. trying to wrap my head around ways to get some sort of 3rd party security system going.... 08:10 < waressearcher2> Talltree: try ##vpn 08:12 < Talltree> woah hell no, that channel seems like a ponzi schemne 08:21 < hiya> hi 08:21 < hiya> :) 08:21 < hiya> Talltree, which part? 08:21 < Talltree> every part, your whole demeanour 08:23 < hiya> ok 08:23 < hiya> i can say the same about u 08:26 < Talltree> thats the exact reaction i thought you do, like a little kid "no you". 08:28 < hiya> Thanks for acting and confirming :) 08:30 < Talltree> empty lines without any arguments. 08:31 < Talltree> i will just keep ignoring you like 95 % of this channel 08:35 < hiya> i see so you are just a over jealous one :P 08:35 < hiya> Nvm 08:35 < hiya> I got real stuff to do 08:46 < hiya> toli, sup 08:46 < hiya> :) 08:47 < hiya> How can I help you? 08:47 < hiya> oops I thought was in ....... 08:47 < hiya> nvm 08:55 < tomodachi> Hi , is it possible on the server to see wich version of openvpn that the connecting client has 08:57 < hiya> tomodachi, sure, ask them? 08:57 < hiya> :) 08:59 < tomodachi> ask them? 08:59 < tomodachi> hiya: 09:00 < hiya> tomodachi, I was kidding, nvm :) I don't think it is possible but you should wait for correct reply 09:01 < tomodachi> ah :) 09:02 < tomodachi> yeah well its tough with so many users to ask each and one 09:05 < hiya> tomodachi, ok :) but why do you need that information for? 09:05 < tomodachi> well there is a potential man in the middle attack exploit 09:05 < tomodachi> with a openvpn gui we use called tunnelblick *for osx* 09:06 < tomodachi> if i could see what version of openvpn is used on the client it might be possible to deduce what version of tunnelblick it was bundled with 09:06 < tomodachi> so i can see if users are connecting with an unpatched version 09:07 < hiya> tomodachi, ok just ask them to use the right version and enforce TLS 1.2 if you like 09:16 < tomodachi> hiya: when you have hundreds of users over several contintents and cant even verify if they actaully have done that 09:16 < tomodachi> it will require lots of time and patience and i can never be sure 09:16 < tomodachi> so being able to check in the server of course is the best possible route , if possible at all 09:22 < hiya> ok 09:22 < hiya> :) 09:23 <@plaisthos> tomodachi: IV_GUI_VER 09:23 <@plaisthos> tomodachi: Tunnelblick sends it 09:23 < tomodachi> plaisthos: really? thats great news how can i check for it? 09:24 <@plaisthos> tomodachi: using management or running master on the server 09:24 <@plaisthos> frfrom 09:24 <@plaisthos> from a master server: 09:24 <@plaisthos> /var/log/syslog.7.gz:Jan 26 18:32:55 hermes ovpn-aead-v6[21880]: erato.blinkt.de/92.73.176.246 peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.46 09:25 <@plaisthos> that is an Android client but tunnelblick is similar iirc 09:53 < tomodachi> plaisthos: what verbosity setting do you have in your server.conf? 09:53 < naquad> h 09:53 < naquad> *hi :) 09:54 < naquad> is there any simple way to route only single app through openvpn? i would like to set up socks proxy looking into openvpn's gateway and selectively configure apps to use it rather than set default route. i've seen option with dummy interfaces and routing tables, but that looks to clumsy. are there any other ways? 09:56 < DArqueBishop> !routebyapp 09:56 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 09:56 <@vpnHelper> defined policies you set. For Linux, read about !lartc 09:57 <@plaisthos> tomodachi: verb 3 09:57 <@plaisthos> tomodachi: but you need a version from git 09:58 < tomodachi> hmm of openvpn? 09:58 < tomodachi> thats a bit annoying dont want to run a git checkout version on our production env just to find out... 10:02 <@plaisthos> tomodachi: yes 10:02 <@plaisthos> tomodachi: you can get that info also via the management console iirc 10:03 < naquad> DArqueBishop, thanks 10:03 < naquad> !lartc 10:04 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 10:11 < naquad> !sockd 10:11 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn 10:16 < hiya> hey guys, there is a huge problem 10:16 < hiya> OpenVPN even without client-to-client with topology subset, tun, is allowing clients to ping each other? 10:17 < hiya> How is that possible? 10:26 <@plaisthos> hiya: reread the client-to-client option in the manpage 10:27 <@plaisthos> it only enables internal forwarding 10:27 <@plaisthos> your linux router will still do routing between clients 10:28 < hiya> plaisthos, no but if I do not set client-to-client, and if you and me both are on same ovpn server, you being in US, I being in Japan, and you having a private IP 10.8.0.x, me having IP 10.8.0.y, Can we both ping each other? 10:32 <@plaisthos> yes 10:32 <@plaisthos> 17:24:22 <@plaisthos> your linux router will still do routing between clients 10:32 <@plaisthos> !client-to-client 10:32 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 10:32 <@vpnHelper> other clients 10:33 < hiya> plaisthos, So the gist is, unless we block such thing in firewall, it would work any way? 10:34 < hiya> so ping is fine, right? 10:43 < Serus> hi 10:43 < trigger_happy> So I'm having some issues routing to a DMZ subnet I have setup in a VPC in AWS ... 10:43 < hiya> Hi 10:43 < Serus> how can I speed the VPN connection? 10:43 < Serus> speed up* 10:43 < Serus> I get 6.4MB/s down on speedtest 10:43 < trigger_happy> I found docs for how to setup DMZ on a per user basis but it doesn't work for more than one ip address and also for more than one user ... 10:44 < trigger_happy> Is there no way to setup a DMZ subnet route? 11:12 < tomodachi> plaisthos: thanx for the ideas, i will check out the management console 11:24 < tomodachi> plaisthos: hmm cant seem to find anything in the logs of the management console do you have any explicit command i should be using for it? 11:24 < tomodachi> tested with the status command 11:24 < tomodachi> and log all 11:36 < Angs> Is it possible to route IPv6 traffic over IPv4 openVPN? similar to what 6in4 does? 12:10 < zoredache> You can use IPv6 over OpenVPN. 12:23 <@Eugene> Angs - openvpn has a set of ipv6 options from 2.3+. You can run a 6in4 over the tunnel if you're on an older version that dosn't supprot v6 natively 12:56 < Serus> is it possible to tunnel UDP data over tcp with my openvpn connection? 13:08 <@Eugene> openvpn will pass any Layer3 protocol you want in tun mode, or L2 traffic in tap mode. 13:08 < Angs> Eugene, My aim is to connect an IPv6 network that has no native IPv6 connection to a server that has IPv4 and IPv6 addr (debian). I read that I can use 6in4 on SixXS, but it may not be reliable as SixXS' addresses depends on voluntary organizations that may stop support on the IP that I use, an alternative is to use Teredo but it is also not a long term solution. That's why I considered if I can use openVPN that provides an additional security function as well 13:09 <@Eugene> The tcp/udp mode used to carry the tunnel is separate; we recommend using UDP whenever possible 13:09 < Angs> do you think it makes sense to use openVPN for that purpose? 13:10 <@Eugene> I use+like HE's tunnelbroker.net 6in4 service. Openvpn from a VPS will work well, but you'll need to sort out all the v6 routing details yourself 13:12 < Angs> I see. then I will use 6in4 to not to deal with routing. Thanks for the advice 13:13 < Angs> do I understand correct that you can't use HE's service behind an IPv4 NAT? 13:15 -!- Netsplit *.net <-> *.split quits: Dougy 13:15 -!- Gizmokid2010 is now known as Gizmokid2005 13:16 -!- mirco_ is now known as mirco 13:16 -!- xMopxShe- is now known as xMopxShell 13:46 <@Eugene> You need a public IPv4 address for your end of the 6in4 tunnel. In a typical setup your router handles the tunnel termination and provides v6 native service to the LAN, not your desktop 13:47 <@Eugene> A non-static(DHCP) public IP will work, but you'll need to update the tunnel endpoint when it changes. I believe they provide instructions for how to do this using a cron job 13:48 <@Eugene> If you're getting a CGNAT IP(not a publiclly-routable one) on your Router/Modem, that won't work. Contact your ISP and ask for a public IP. 13:48 < Serus> Are you answering my question I asked earlier, Eugene? 13:48 < Serus> oh, no, nvm 13:48 <@Eugene> Above I was 13:48 < Serus> ah 13:49 < Serus> I'm trying to connect to league of legends using my VPN, but I think it's not getting the UDP traffic, is there anyway to debug it, Eugene? 13:49 <@Eugene> I've got no idea what that is. 13:50 < Serus> league of legends is a video game 13:50 < Serus> it uses the UDP ports 5000-5500 13:50 < Serus> and establishes these connections from server to client, I think 13:51 < Serus> I get to where I can log in and then I simply get an error about it being unable to connect 13:51 <@Eugene> Openvpn will gladly pass that, so long as you've got the appropriate route to the IP set 13:51 < Serus> so I'd like to monitor my incoming traffic to see if it's getting passed to openvpn properly 13:51 <@Eugene> That looks to be a newer game, why not just use Steam or whatever integration? You shoudn't need any vpn stuff 13:51 <@Eugene> Wireshark / tcpdump are good traffic packet-sniffing debug tools 13:51 < Serus> it's not on steam 13:52 < Serus> and the route you talk about, is that on the firewall? 13:52 < Serus> or an openvpn setting? 13:52 <@Eugene> openvpn can set up routes for you 13:52 <@Eugene> !route 13:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 13:52 <@vpnHelper> client 13:52 <@Eugene> And now i am off to lunch. Good luck 13:52 < Serus> thanks 14:04 < cruxeternus> !goal 14:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:15 < cruxeternus> Infra 14:15 < cruxeternus> whoops, sorry, wrong window :( 14:29 < cruxeternus> Is there a way to push individual hostname-IP mappings to OpenVPN clients (upon connect) without forcing them to use an alternative DNS server? 15:14 <@Eugene> cruxeternus - no. Publish your hostnaames in public DNS and save yourself a lot of trouble. 15:45 < cruxeternus> Thanks for the answer. I think I'll just use IP addresses for the time being, but may have to do as you suggest if our VPN expands. 15:46 < cruxeternus> Although, I guess there isn't any real harm in putting the IPs in public DNS. 15:46 < cruxeternus> Perhaps I'm just paranoid. :P 16:17 < cirdan> hey, I have an application that expects to run over the local network but I want it to run over the vpn. it's xbox streaming so I can't run openvpn on the xbox, and I am using a routed layout. Is there anything I can do to make the xbox appear local to windows 10? 16:17 < cirdan> maybe something with iptables SNAT or something? 16:21 < tomodachi> cirdan: you have to run a bridget VPN instead of a routed VPN 16:22 < tomodachi> routed VPN is the easy default 16:22 < tomodachi> https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html 16:22 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 16:22 < tomodachi> seems to describe the steps 16:23 < cirdan> tomodachi: except I can't since my ios devices dont do bridging 16:54 < Angs> I have two debian and one ubuntu PC, I installed openvpn via apt-get install. Debians have version 2.3.4, ubuntu has v2.3.2. would it cause any problem to use the VPN 16:55 < Angs> or is it best to compile it from the source code? 16:55 < Angs> and have 2.3.10? 17:16 < Angs> why easy-rsa not a part of openvpn anymore? 17:16 < Angs> is it not recommended to use? 17:59 < Angs> does anyone use openVPN server on a IBM's Softlayer 18:01 < Angs> is it required to pay extra to run openVPN on Softlayer? 18:03 < debdog> Angs: https://packages.debian.org/jessie/easy-rsa still part of openvpn but a seperate package in debian 18:03 <@vpnHelper> Title: Debian -- Details of package easy-rsa in jessie (at packages.debian.org) 18:05 < Angs> debdog, thank you. 18:06 < debdog> Angs: regarding versions. might depend on features you intend to use. here I am running a 2.3.4 ovpn server with 2.3.8 clients without problems 18:19 -!- linear_ is now known as linear 18:50 < dbRenaud> !welcome 18:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:00 < Angs> https://openvpn.net/index.php/open-source/documentation/howto.html seems like an outdated tutorial. As an example it asks to . ./vars, but there is no such file under /usr/share/doc/openvpn 19:00 <@vpnHelper> Title: HOWTO (at openvpn.net) 19:01 < Angs> is there a better to setup a VPN server and clients? 19:09 < debdog> Angs: /usr/share/easy-rsa/vars 19:09 < debdog> debian special case, again 19:12 < debdog> the other files are at this location, too https://packages.debian.org/jessie/all/easy-rsa/filelist 19:12 <@vpnHelper> Title: Debian -- File list of package easy-rsa/jessie/all (at packages.debian.org) 19:13 < dbRenaud> Hi, I would like to forward all incomming trafic of a specified interface to one of my VPN client, if i'm not mistaken I think I need to use iptables right? 20:07 < Angs> debdog, thanks again 20:28 < Angs> when I run ./build-ca 20:28 < Angs> it outputs "error on line 198 of /etc/openvpn/openssl-1.0.0.cnf 20:28 < Angs> 140077272290960:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198 20:28 < Angs> " 20:29 < Angs> any idea what could be wrong? 20:32 < dbRenaud> There's a missing value on a variable, what's on your line 198 ? 20:37 < Angs> dbRenaud, I did cp -r /usr/share/easy-rsa /etc/openvpn, and then edited vars http://pastebin.com/KKLhZN3d 20:37 < Angs> it has only 82 lines 20:38 < Angs> I was just running these commands: ". ./vars 20:38 < Angs> ./clean-all 20:38 < Angs> ./build-ca" 20:49 < dbRenaud> http://ubuntuforums.org/showthread.php?t=2218935 20:49 <@vpnHelper> Title: Open VPN cannot run ./build-ca (at ubuntuforums.org) 20:52 < Angs> dbRenaud, thanks it works fine now :) 22:18 < dbRenaud> Hi, I would like to forward all incomming trafic of a specified interface to one of my VPN client, if i'm not mistaken I think I need to use iptables right? 22:53 -!- james41382_ is now known as james41382 23:03 < Neighbour> yes, something like: iptables -t nat -A PREROUTING -i -j DNAT --to-destination 23:11 < dbRenaud> thanks ill try it 23:11 < dbRenaud> But i don't think I can us venet0:1 as interface --- Day changed Wed Feb 03 2016 01:34 < Angs> how many clients can concurrently be connected to an openVPN server? 01:34 < Angs> max-clients is commented out on the .config, what is the default value? 01:35 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 01:40 < Neighbour> dbRenaud: venet0:1 sounds like an alias, not like an interface (that would be venet0) 03:38 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 03:38 -!- mode/#openvpn [+o dazo_afk] by ChanServ 03:38 -!- dazo_afk is now known as dazo 05:23 < Angs> I configure my server and clients to use IPv6. it wouldn't be a problem if the devices have only IPv4 IP and have no native IPv6 network connection, right? 07:25 < mustu> hi does any other client exists for Mac other then TunnelBlick? 07:26 < mustu> TunnelBlick appear to disconnect freuqeuntly 07:31 < Serus> doesn't the commandline openvpn client work on mac? 07:38 < higuita> if it disconnects, i suspect your connection... but try from the command line and also see the log 09:51 -!- dazo is now known as dazo_afk 10:08 < shtrb> any win10 users with openvpn running as Tap around ? 10:09 < shtrb> *with bridge mode 10:21 < arthar360> Hi...I want to customize openvpn gui. I want to change the icon and name. ANy ideal how to do that? 10:33 < BtbN> Why would you want to do that? 10:35 < arthar360> BtbN, Simply to not let my employees know that I am using OpenVPN 10:41 < DArqueBishop> ... why would you not want them to know that? 10:42 < DArqueBishop> Sorry if that sounded snarky, but I'm just curious why it's an issue. 10:45 -!- esde [~something@openvpn/user/esde] has quit [Ping timeout: 276 seconds] 10:54 < BtbN> I think OpenVPN AS offers branded stuff if you pay enough. 10:54 -!- esde [~something@openvpn/user/esde] has joined #openvpn 10:54 -!- mode/#openvpn [+v esde] by ChanServ 11:18 < distortedsignal> !welcome 11:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 11:18 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:19 < distortedsignal> !goal 11:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:22 < distortedsignal> !howto 11:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:30 < distortedsignal> Out of curiosity, for those who have set up a Certificate Authority for their OpenVPN setup, did you first set up a "root" CA and then set up a "child" CA for OpenVPN, or did you set up the CA for OpenVPN and call it a day? 11:31 < distortedsignal> I'm an "enterprise developer" and I'm trying to figure out if I'm Enterprising too hard on this setup. 11:31 < skyroveRR> I for one just setup a root CA. 11:31 < skyroveRR> For my home needs. 11:31 < skyroveRR> Dunno if that reply would be applicable to you, though. ;) 11:34 < distortedsignal> @skyroveRR If you don't mind sharing, I would be interested in what else you're using CAs for in your home network. :) 11:34 < zoredache> I have cheated, and re-used my puppet CA and certs for OpenVPN. Probably not a great idea though. 11:35 < skyroveRR> distortedsignal: only for connecting one device: my phone, to the VPN back home for secure internal resource access. And probably for web browsing and IRC. 11:35 < distortedsignal> @zoredache Is that puppet the automation tool, or are you using some industry slang that I haven't heard yet? 11:36 < zoredache> Yes, puppet, the configuration management engine. It uses PKI to authrorize clients to access their config. It runs its own root CA for that purpose. 11:37 < distortedsignal> zoredache, skyroveRR thanks. This is good information. Thanks for your help! :) 13:34 < cwage> is there a way for the windows openvpn gui to make use of DNS servers pushed with dchp-option? 13:35 < cwage> viscosity seems to override them properly, but when i use the stock openvpn gui, it's still using my ISP's nameservers despite the nameservers on the tap interface 13:36 <@plaisthos> which windows? 13:36 <@plaisthos> windows 10? 13:37 < hiya> cwage, your server.conf? 13:37 < hiya> also google "Stop windows 10 dns leaks" 13:38 < cwage> yes, windows 10 13:39 < cwage> i see, ok, thanks 13:39 < cwage> oy, that's annoying 13:42 <@plaisthos> newer openvpn version have a block-outside-dns iirc 13:42 < hiya> cwage, yes :) 13:42 < cwage> adding block-outside-dns to the client config didn't seem to help 13:42 < cwage> that is in 2.3.10 as well, right? 13:42 <@plaisthos> yes 13:42 <@plaisthos> if the client does not know the option it will error out 13:43 < hiya> block-outside-dns in client.conf do not woork? 13:43 < hiya> it is not possible 13:43 <@plaisthos> hiya: ?! 13:43 < hiya> plaisthos, What? 13:44 <@plaisthos> hiya: your remark about block-outside-dns not working being impossible 13:45 < hiya> plaisthos, so it does not work? 13:45 < cwage> nevermind, my browser had cached the old config 13:45 < cwage> that worked, thank you! 13:45 < hiya> welcome 13:45 < hiya> :) 13:46 < cwage> is there an easier way to have windows users load a config than manually copying the ovpn into the C:/Program files/OpenVPN/config dir? 13:46 < hiya> yes 13:47 < hiya> use Viscosity :) 13:47 < cwage> heh 13:47 < cwage> likely what we end up doing, alas 14:12 < cwage> hmm 14:12 < cwage> adding block-outside-dns breaks viscosity 14:12 < cwage> guess i'll need separate configs 14:47 <@plaisthos> cwage: or use the setenv opt stuff 14:48 <@plaisthos> see the manpage 15:03 < cwage> thanks 16:36 -!- wodim is now known as Qt 16:36 -!- Qt is now known as wodim 22:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 22:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:17 -!- mode/#openvpn [+o vpnHelper] by ChanServ 23:20 < flyingbuddha> !welcome 23:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 23:20 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:21 < flyingbuddha> Using tunnelblick on OS X 10.11, I would like to route all traffic to my OVPN server with exception to a whitelist of hostnames/IPs. Is this possible? --- Day changed Thu Feb 04 2016 01:30 < LJHSLDJHSDLJH> anyone knows a free site offering free openvpn server to try the client on it? 01:32 < LJHSLDJHSDLJH> all sites google give are 100% free then they turn out to be 1000% paid 02:28 < LJHSLDJHSDLJH> then you're worthless 02:29 < Neighbour> worth is in the eye of the beholder :) 05:35 < suexec> How can I easily create a .ovpn file from a generated certificate? 06:26 < suexec> nvm - I sorted it 07:26 < adac> Does it make sense to use a real (i.e.) SSL certificate for a VPN server? 07:39 < PowerKiller> Good Day! BTW, can I make a server get port forwarded via OVPN? 07:40 < PowerKiller> I mean I've found a cheap server with a unlimited bandwidth 07:40 < PowerKiller> but I have a application which needs heavy disk and CPU 07:40 < PowerKiller> and another app. which requires GPU 07:41 < PowerKiller> can I install OpenVPN on the cheap server and use my own home-made servers which have port closed? 07:41 < PowerKiller> I think it'll work like this: client -> OpenVPN server -> OpenVPN client -> my own server 07:43 < PowerKiller> like if a user sends some mp4 files to be rendered to port 9000 and OpenVPN gets it then sends it to my OpenVPN client which then renders it and sends it back via OpenVPN client to OpenVPN server which relays it back to user 07:44 < PowerKiller> shd. work this way, as I see from https://forums.openvpn.net/topic7821.html 07:44 <@vpnHelper> Title: OpenVPN Support Forum Port Forwarding : Server Administration (at forums.openvpn.net) 07:45 < PowerKiller> https://forums.openvpn.net/topic7823.html 07:45 <@vpnHelper> Title: OpenVPN Support Forum IPTABLES - Portforwarding : Routing and Firewall Scripts (at forums.openvpn.net) 07:45 < PowerKiller> and this 08:15 -!- dazo_afk is now known as dazo 08:59 < Greybits> Hi, does anyone know why the windows executable downloads all test positive for virus/trojan in clam av? 09:00 < Greybits> ie: if you download a windows installer exe from the openvpn site, it tests positive for containing a trojan 09:07 < DArqueBishop> Greybits: is your ClamAV up to date? 09:07 < Greybits> yes 09:07 < Greybits> freshclam updated immediately before 09:07 < DArqueBishop> I just downloaded the 64 bit Windows installer and scanned it using ClamAV on a CentOS 7 box. Nothing was detected. 09:07 < Greybits> tested various downloads and archives of the exe as well from different machines 09:07 < Greybits> i emailed security@openpvpn and they could duplicate it 09:08 < DArqueBishop> http://pastebin.centos.org/39356/ 09:08 < Greybits> c:\Users\rich\Downloads\openvpn-install-2.3.10-I602-x86_64.exe: Win.Trojan.Ramnit 09:08 < Greybits> -8178 FOUND 09:09 < Greybits> i will have some other sources continue to investigate. but i know openvpn folks were able to see it also. 09:10 < Greybits> tested various downloads from various sources and various clams 09:10 < DArqueBishop> That's odd. 09:10 < Greybits> somehow, i don't find it that way. but at least it is in the public record what i am saying. 09:13 < Greybits> it is my theory they were not found, because typically it is a pain in the ass to run clamav on windows, so those files don't get scanned by many users, because hardly any use clam on windows. and people with linux, typically, aren't downloading windows exes so they arent caught there. 09:20 < Greybits> the real question is how long have the binaries contained a trojan, and how many computers are affected. 09:23 < Poster> I'd be tempted to have other antivirus scanners run against it 09:25 < Greybits> you can run 52 others against it in one place, virustotal.com only clam finds it. but then again, clam is the only open source one. maybe the others are paid to ignore it. 09:26 < DArqueBishop> Greybits: in that case, I think Occam's Razor applies. It's more likely that instead of it being a conspiracy, it's that ClamAV is simply reporting a false positive. 09:26 <@dazo> Greybits: it's a known issue ... looks like there's a false-positive in clamav 09:26 < Poster> I agree with DArqueBishop and dazo; I highly doubt there is malware in the installer 09:27 <@dazo> Greybits: mattock is taking this up with the clamav upstream .... we definitely does not add any nasty stuff to the installer - at least not on purpose :) 09:28 < Greybits> what if you didn't know there was bad stuff getting in there? ask yourself: who would want to be able to access encrypted communication at the client level? and then narrow down "who dunnit". 09:28 < Poster> if you're that worried you can download the source and audit it yourself 09:28 < Greybits> i can't compile my own windows exe 09:29 < Greybits> probably like 99.9% of your users 09:29 < Poster> and that's your limitation, not OpenVPN 09:29 < Greybits> my limitations are not the essence of my conversation today ; my strenghts in finding the issue are. 09:29 < DArqueBishop> Greybits: I think the issue has already been determined. ClamAV is reporting a false positive. 09:30 < Poster> I don't think crying wolf on what is more than likely a false positive isn't really helping much 09:30 < DArqueBishop> False positives happen with antivirus software. 09:30 < Greybits> you can spin it however you like, and you are entitled to your opinion. 09:30 < Greybits> as am i. 09:31 < Poster> so what is it you're trying to get here? 09:31 < Greybits> i wanted to make sure it's on the public record that this occurred and was found and mentioned, as well as to hear any other ideas and opinions: ie research and learning. 09:31 < DArqueBishop> As far as false positives go, this is kind of a minor one. There have been other antivirus software packages that had false positives capable of rendering Windows systems unbootable. 09:32 < Poster> the report is certainly appreciated and it looks like there are efforts to resolve the issue 09:33 <@dazo> Greybits: If you're unhappy with the builds and want 100% confirmation of safe build .... here's how you do it yourself: https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem#Cross-compilingonNIXgenericsubdir (IIRC, Cross compiling is what we do for our windows builds) 09:33 < Greybits> thank you 09:33 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net) 09:34 < Poster> but jumping to the conclusion that somehow OpenVPN paid off 50+ antivirus vendors to allow malware through seems a bit far fetched 09:34 < Greybits> the conclusion isn't that openvpn was the one who paid them off. 09:35 < DArqueBishop> I'd say ANYONE paying off 50+ antivirus vendors to allow malware through is far fetched. 09:35 < Greybits> i think you need to awaken bro. 09:35 < DArqueBishop> You'd think at least one of them would love to stick it to their competitors by publicly exposing what happened. 09:35 < Poster> the security community would have a field day 09:36 < Greybits> i will take it to the hacker channels next for evaluation. 09:36 < Greybits> maybe they can find the backdoor 09:36 <@dazo> DArqueBishop++ 09:37 <@dazo> Greybits: good look on your endeavors! 09:37 < Poster> if it does exist, it shouldn't be too hard to find in the source code 09:38 < Greybits> Poster, will all due respect (i'm not sure how much is due) you don't get it dude, or maybe you do and are just good at acting like you don't. 09:38 < Greybits> dazo, thank you! and thank you for your help. 09:39 < DArqueBishop> I'm pretty sure Poster gets it. 09:39 <@dazo> Poster: Theoretically it is possible that mattock could modify the source before doing the windows builds ... but I'd take his builds anytime without a blink than any other build from a proprietary vendor 09:40 < Poster> well yeah, anything is possible, I don't dispute that 09:40 < Greybits> why is it so impossible to consider that something could be injected after the builds? 09:40 < Poster> all that being true, anyone can compile from source and compare the result of both to determine if something is different 09:41 < Greybits> have you ever learned how virus insertion works? 09:41 < Greybits> or tried or tested or researched? 09:41 < DArqueBishop> dazo: like I said, I'm operating under Occam's Razor. Which is more likely: that 50+ competing antivirus vendors were paid off to ignore malware, or that a single vendor is showing a false positive? 09:41 <@dazo> Greybits: because our build tools are 100% open source (mingw based)? They are packaged, signature generated and *then* uploaded to the download server as a manual process 09:41 < Greybits> it's not about the build process. 09:41 < Greybits> and i will tell you this: it's not just openvpn. 09:41 < Greybits> this is my first stop today. 09:42 <@dazo> did you do a PGP signature check? 09:42 < Greybits> dazo, gpg, yes 09:42 < Greybits> and md5 sum on the download, if it had it 09:42 <@dazo> if the pgp signature was correct, then the download did not change in any way from the build server to the web server 09:43 < Greybits> i will double check. 09:43 <@dazo> which means the scope where the build could be manipulated are isolated to a box not accessible via the internet 09:44 <@dazo> which means, mattock is the person who would be capable of manipulating this 09:45 < Greybits> who is also the same person who replied to my inquiry about it. so im not saying this is true or probable, only possible....if he maintains it, compiles it, and answers questions about its security, could it be possible there is more than meats the eye? 09:45 <@dazo> and on top of that you suggest that 50+ anti-virus vendors where paid off by someone to hide a trojan from our build? So ... considering whom could do that and at which stage, how likely would it be that mattock did that? 09:46 < Greybits> how much would it be worth to have a FUD backdoor in openvpn? if you divided that amount by 50 companies, would some or all take it? 09:46 <@dazo> Greybits: well, you probably have not met mattock IRL ... I have, several times ... and so I know him fairly well 09:46 < Greybits> i mean how much budget do you think the US government has for things like this? 0? an infinite unknown amount? more likely the latter. 09:47 <@dazo> Time to take off your tinfoil hat 09:47 < Poster> so what does this backdoor look like? I've got dozens of instances running with very restrictive firewalls and logging 09:47 < Greybits> just sayin man, im not saying it is likely, or even probable, but only a fool would limit the possible realities. 09:48 < debug0x1> Hello, friends. I have a question to harass you with. If i use " openvpn --config openvpnfilename " 09:48 * dazo wishes 100% reproducible builds would be doable ... that would kill this discussion completely 09:49 < debug0x1> Can i have a browser that is not using the openvpn link. 09:49 <@dazo> Greybits: I'm also not saying it is not possible ... I'm saying it is really not likely to be the case, as I somewhat know more about the build process, the signature process and the person doing this 09:50 < Poster> I 100% agree ^^^^ 09:50 < DArqueBishop> Greybits: the problem is that you have a LOT of supposition and not very much evidence. 09:50 <@dazo> debug0x1: your question does not really make much sense 09:50 < DArqueBishop> dazo, I think he's asking if he can have apps that don't route through the VPN connection. 09:51 < Greybits> dazo, like i said, please don't be narcissistic or defensive of openvpn. it is not an openvpn only thing. i am finding the same thing in many pieces of critical software that are all perfect spying vectors. so please, i ask you only to think with an open mind about the POSSIBILITY that it IS happening. 09:51 < DArqueBishop> !routebyapp 09:51 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 09:51 <@vpnHelper> defined policies you set. For Linux, read about !lartc 09:51 < Poster> Greybits: if you ask people to not be narcissistic or defensive about their point of vice, you should probably try doing that yourself 09:52 <@dazo> Greybits: well, as I said ... if you don't trust our builds ... we have documented how to do it yourself ... you'll find recipe for cross-building and using MSVC on Windows ... 09:52 < Poster> no one here is saying you're wrong, they're saying it's unlikely, when they share their knowledge on the issue, you immediately dismis it 09:52 <@dazo> *That* is the only way you can be 100% sure, if you review the source code before building it 09:53 < DArqueBishop> Greybits: if you want people to believe you, you need to provide evidence. All you've provided is evidence that one AV vendor is showing a trojan, that can easily be explained away by a false positive. Everything else you've provided is supposition and opinion. 09:53 < Greybits> Poster, I apologize if you feel i am dismissive of your opinions and knowledge. Although it doesn't seem, you couldn't be further from the truth in that I do listen carefully to each and every answer and opinion and process each and every bit of data to the best of my ability. 09:53 <@dazo> Or as others would call it: FUD 09:53 < Greybits> FUD = fully undetectable 09:53 <@dazo> jerk 09:54 < debug0x1> dazo: Can i run openvpn and have a browser that is not using the VPN 09:54 < DArqueBishop> Because, honestly, Greybots, you're so hung up on your worst-case scenario that this is what you sound like: https://dl.dropboxusercontent.com/u/12102596/its-a-conspiracy.jpg 09:54 < Greybits> DArqueBishop, , I do agree with you and your point and will work harder to uncover the facts. 09:54 < Greybits> nice try on the phishing 09:55 < DArqueBishop> Huh? 09:55 < Greybits> nothing 09:55 < DArqueBishop> Dude, if I was going to try and phish you, I'd use a web server I actually control. 09:55 < Greybits> i don't know much about that stuff, so i defer to you. 09:55 <@dazo> debug0x1: yes ... so DArqueBishop had the right one ... !routebyapp .... you might also want to dive into some network config stuff, in particular routing 09:55 <@dazo> !routebyapp 09:55 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 09:55 <@vpnHelper> policies you set. For Linux, read about !lartc 09:55 <@dazo> !redirect 09:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:55 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 09:56 <@dazo> debug0x1: ^^^^ !routebyapp and !redirect where for you 09:56 < debug0x1> dazo: DArqueBishop: Thank you! 09:57 <@dazo> debug0x1: in fact you want the opposite of !redirect ... but that's obvious, isn't it? 09:59 < Poster> Greybits: tell you what, build your own version from source, compare the executables, install it on an isolated test system with whatever security software you trust and report back exactly what you think is happening 09:59 < Poster> log every packet that leaves the system and share what you suspect is the backdoor 10:00 < Greybits> Poster, and if i find something, is there a bounty? 10:00 < Greybits> or do i just give it to the hackers? 10:00 < Greybits> need to make sure i understand the best places to spend my time 10:00 < Poster> bounty? Maybe some merit to your concerns 10:02 <@dazo> debug0x1: hey! no PM unless we agreed on that here ... We do no private support 10:02 < debug0x1> I'm a bit confused with !routebyapp 10:03 < debug0x1> openvpn --routebyapp? 10:03 <@dazo> Greybits: you'll for sure get your credits in the changelog and maybe even commit log 10:11 < debug0x1> !routebyapp 10:11 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 10:11 <@vpnHelper> defined policies you set. For Linux, read about !lartc 10:12 < debug0x1> !lartc 10:12 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 10:33 -!- dazo is now known as dazo_afk 10:57 < Ridley5> hi all 10:58 < Ridley5> i have a problem with OpenVPN app on Android , cannot make a voice call with facebook messenger 10:58 < Ridley5> it's say "connecting..." 10:58 < Ridley5> then call rejeted 10:59 < Ridley5> anyone have an idea ? 11:05 < Poster> Hi Ridley5, it is probably firewall related on your OpenVPN server, does facebook messenger work when not connected to the OpenVPN server? 11:10 < Ridley5> yes Poster it work when i disable the OpenVPN 11:10 < Ridley5> i installed OpenVPN on a VPS 11:11 < Ridley5> the downloaded the .opvpn file with my phone and used it in the application 11:13 < Poster> ok are other applications working when the OpenVPN link to your VPS is active? 11:42 < Ridley5> yes Poster, all other application working perfectly, only voice calling trought facebook messenger (sorry for the delay) 11:49 < Ridley5> i was looking how to configure the VPN trought samsung directly (without using the OpenVPN application) 11:55 < Poster> Can you paste via pastebin or similar the server configuration? 11:55 < Poster> also what OS is your VPS? 12:04 < Ridley5> You mean the .ovpn file Poster ? the OS is: Debian 7 ( Wheezy ) 64 12:09 < Poster> Ridley5: I mean the configuration file on the OpenVPN server - Debian 7 12:09 < Poster> on the OpenVPN server, please paste the output of: 12:09 < Ridley5> ok 12:09 < Poster> ifconfig ; route -n ; sudo iptables -L -n ; sudo iptables -t nat -L -n 12:09 < Ridley5> ok please wait 12:12 < Ridley5> that is Poster: http://pastebin.com/9LHT3eZv 12:17 < Poster> ok that looks ok, the OpenVPN configuration file might be in /etc/openvpn/*.conf ; if you find it can you paste that too? 12:19 < Ridley5> ok please wait 12:21 < Serus> hi 12:22 * Poster tips his hat 12:22 < Serus> I have a similar problem to Ridley5, but I cannot connect to league of legends with my vpn connection 12:23 < Poster> the only thing I can think is that some of the connection may be trying to use something like uPNP which may exist on home routers but not on the OpenVPN server itself 12:24 < Ridley5> http://pastebin.com/HzV8auFn 12:24 < Poster> all of that being true, if the port(s) are known, it should be possible to forward them back to a _single_ VPN client address 12:24 < Ridley5> that is Poster 12:24 < Serus> I'm not really blocking ports using iptables 12:25 < Poster> well it's not entirely about blocking, but say your game expects an inbound connection on port 1234, it will reach the OpenVPN server and the server itself isn't expect it, it will send a TCP reset, meanwhile the VPN client is listening but never gets the connection 12:25 < Serus> I see people close off literally everything, but is there a great need to do that? 12:25 < Poster> unless you forward port 1234 from your OpenVPN server to your VPN client, the connection will not establish 12:26 < Serus> yeah, I think the client initiates a server to client connection 12:26 < Poster> you might be able to determine any inbound attempts by either watching tcpdump or enabling logging in netfilter/pf (assuming you're Linux or BSD based on the OpenVPN server itself) 12:27 < Poster> the game/service may also publish the port numbers needed, that would probably be the easiest method to find them 12:27 < Serus> but how do services like pingbuster, or private internet access forward everything to the VPN? 12:27 < Poster> most connections are outbound, meaning the client initiates the connection to the remote server 12:27 < Serus> do they have multiple NICs and a ton of VMs on the server? 12:27 < Poster> it's only when a connection is attempted back to a client do issues surface 12:28 < Serus> yeah 12:28 < Poster> they're relying on NAT, much like home router systems to "share" a public IP address 12:28 < Serus> they list their ports on their knowledge base 12:28 < Serus> it's a game btw :) 12:28 < Poster> yeah yours is a game, Ridley5 is an application 12:28 < Serus> yeah 12:28 < Poster> possibly the same issue though 12:28 < Serus> I'm very unfamiliar with iptables 12:29 < Serus> how would I setup the forwarding to another IP? 12:29 < Serus> you say nat, but how do they know inbound connections are destined for my certain IP? 12:30 < Poster> the NAT device keeps track of who is going where to flip the address back to the original 12:31 < Serus> or does the router simply try every LAN IP, until it gets a response? 12:31 < Serus> yeah, but how do you know this with inbound connections? 12:31 < Ridley5> is the OpenVPN ok Poster ? 12:31 < Serus> does uPnP somehow figure that out? 12:31 < Ridley5> nothing special about the configuration 12:32 < Poster> so a NEW connection is different, the NAT device would not have any record as to where it goes unless told, in the case of manually specified firewall rules, it would be something to the effect of 12:32 < Poster> For a TCP connection to port 1234, forward that connection to 192.168.1.50 12:32 < Poster> or in the case of uPNP, the client sends a uPNP message to the router to do the above on demand 12:34 < Poster> Ridley5: sorry, I think you're looking at an hooked script, not the OpenVPN configuration itself, if you do a "ps aux | grep openvpn" the file will probably follow the --config option in the process list 12:34 < Poster> something like: /usr/sbin/openvpn --config /etc/openvpn/foo.conf 12:34 < Ridley5> ok i do that 12:35 < Serus> Poster: ah 12:35 < Serus> can I setup software uPnP to do that? 12:35 < Poster> I believe so, but have not done so 12:48 < Serus> I found a guide, but this uses something that's either very old or not present on Arch :/ 13:02 < Poster> yeah it might be true 13:03 < Poster> could be somewhat difficult, if using iptables it may be complex to figure out where to insert the correct rules to bring the connection in 13:09 <@plaisthos> Ridley5: you try adding fragment to the config of client/server 13:10 <@plaisthos> but that is quite strange thing 13:28 < Serus> Does anybody run uPnP on their VPN? 13:50 < distortedsignal> What version of easy-rsa are you folks running? I'm trying to get going with v3, and the documentation seems... sparse. v2 documentation for DAYS, but v3 not so much. 14:35 <@Eugene> I use XCA myself. GUIer. 14:38 < distortedsignal> @Eugene I might be heading that route, but right now I'm working on a Server version of Fedora that I'm trying to keep light. Good to know there are options! 14:38 <@Eugene> openvpn doesn't actually care how the PKI is generated, just that its valid 14:51 -!- Netsplit *.net <-> *.split quits: +esde 14:51 -!- K1rk_ is now known as K1rk 14:52 -!- weox_ is now known as weox 20:04 < V193r> hey i just installed linux mint and need help installing openvpn 20:04 < V193r> never installed a vpn 20:04 < V193r> not trying to troll 20:10 < V193r> hello? 20:29 < debdog> start there: https://openvpn.net/index.php/open-source/documentation/howto.html 20:29 <@vpnHelper> Title: HOWTO (at openvpn.net) 20:34 < V193r> does this apply for linux aswell 22:30 < butteredpopcorn> I'm running Jessie and trying to run openvpn. it works when I run it manually but not when I run service openvpn start, it says its running but I cant connect (I can connect when I run it manually) 22:37 < butteredpopcorn> the issue looks like I just had to disable and re-enable the service. --- Day changed Fri Feb 05 2016 06:41 < faleur> !welcome 06:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:42 < faleur> !goal 06:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:52 < PowerKiller> !topology 06:52 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 06:52 < PowerKiller> !iporder 06:52 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 06:52 < PowerKiller> !sample 06:52 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 06:55 < faleur> ircpimps.org looks like it is down atm? (http://www.downforeveryoneorjustme.com/www.ircpimps.org) 06:55 <@vpnHelper> Title: Down For Everyone Or Just Me -> Check if your website is down or up? (at www.downforeveryoneorjustme.com) 07:24 < V193r> i was wondering how to setup on linux? 07:24 < V193r> can anyone help 07:25 < V193r> !welcome 07:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:26 < V193r> !goal I would like to acsess the internet over my vpn on linux 07:26 < V193r> oh 07:26 < V193r> I would like to acsess the internet over my vpn on linux 07:27 < V193r> !configs 07:27 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 07:44 < omgs> Hi 07:45 < omgs> I've got problem using openvpn, being ubuntu client and debian server. 07:45 < omgs> I can establish the connection, but I can't ping anywhere in the vpn 07:45 < Serus> post configs 07:46 < Serus> did you enable ip forwarding in the kernel? 07:46 < omgs> I want to use a bridged connection, since the server has one bridge to the network I want to use. 07:47 < omgs> Yes, cat /proc/sys/net/ipv4/ip_forward =1 07:48 < Serus> did you setup iptables? 07:48 < omgs> I've tried even disabling all the rules, and the same result 07:48 < Serus> !goal 07:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:48 < omgs> I'm using udp, I hope that's not a problem. 07:48 < Serus> it's not 07:49 < omgs> I want to access an internal network, where the server already has one bridge. 07:50 < omgs> In fact, the server is using openvz, and the bridge is for accessing all the containers inside, having all one ip in this internal network 07:51 < omgs> It's just for sshing container that doesn't have a public ip address 07:51 < Serus> wait 07:51 < Serus> you have a bridge setup? 07:51 < Serus> and again 07:51 < Serus> post configs 07:51 < Serus> of both server and client 07:52 < omgs> The host has only one physical eth, and I created a dummy bridge for eth1, where this internal network resides 07:52 < omgs> I can ping all ips in this bridge from anywhere (the traffic for this lan isn't restricted at all) 07:53 < omgs> So, the server has its real address as 192.168.52.1/24, and I wonder if setting bridge-server has to use a different address 07:55 < omgs> So, I guess in theory the proper setup should be via bridge and a tap device, right? 07:55 < omgs> I've read that the eth1 in this case should be in promiscous mode. Is this right? 07:55 < BtbN> tap is never the proper setup unless you absolutely need layer 2 to be tunneled. 07:56 < omgs> Oh, I thought that tap was for bridging, and tun for routing (mostly). Is this wrong? 07:56 < BtbN> tap transports ethernet frames, tun IP packets. 07:57 < BtbN> There is no reason to use tap unless you need layer 2. 07:57 < Serus> omgs: I think that BtbN can help you better in this case, I don't know a lot of openvpn yet 07:57 < omgs> OK, I just need the app level, so tun seems to be the best option. 07:58 < omgs> And the server is intended to have several different clients, so I've set a range of addresses in the lan to be assigned, and I get one of them 07:59 < omgs> Do you think bridging is the proper choice for my case, regardless routing could work? 08:00 < omgs> Another thing is that I've run tcpdump on both sides, and I can see the ping going, but not going back 08:01 < BtbN> you can't bridge tun interfaces. And there is no reason to do so. Just enable routing and set propper routes on the client, and it should just work. 08:02 < omgs> That's why I chose tap. I've tried both ways, with the same result. 08:02 < omgs> I mean, when using tun, I've used a 10.x/24 network 08:03 < Serus> BtbN: going to hijack your attention for a bit, do I need tap if I want to setup upnp over vpn? and can I get away with tap routing, or does it need to be bridged? 08:03 < omgs> On the client side, I see the route, but can't ping. Is there anything that should be checked on the client side? 08:03 < BtbN> No idea about UPNP, but why would it need tap? 08:04 < BtbN> omgs, no. 08:04 < Serus> I googled a bunch and it seems tap is needed for multicast 08:04 < omgs> BtbN: so you think the problem is on the server? 08:04 < Serus> I've setup miniupnpd and I can see that upnp is running using upnp tester, but trying to open up ports doesn't work 08:05 < BtbN> depends, generaly yes, since when is UPNP using Multicast? 08:05 < BtbN> omgs, most likely yes. All you need to do there is enable forwarding. 08:06 < Serus> I honestly don't know anymore, I remember reading something about multicast when googling on how to set it up 08:08 < omgs> BtbN: what I'm not sure is if I should put a route in the server, but not sure to where it should go 08:08 < BtbN> The server sees all the networks involved, so it has implicit routes for them already in place. 08:10 < omgs> So, please let me review. when do you recommend bridging? 08:11 < omgs> I guess that you're somehow against it, because you don't "like" tap and bridgind can't be used with tun, right? 08:13 < DArqueBishop> Bridging is a pain in the ass and is only necessary in certain use scenarios. 08:14 < Serus> DArqueBishop: what scenarios? 08:15 < Serus> and what implications on my network does bridging have? 08:15 < DArqueBishop> Serus: the only time I've ever needed it was when a friend and I were doing LAN gaming over a VPN connection. 08:15 < Serus> hmmm 08:15 < Serus> nothing about upnp? 08:16 < DArqueBishop> I've never used OpenVPN for redirecting all network traffic, so I couldn't tell you. 08:16 < Serus> honestly, redirecting all network traffic seems the primary reason to use one 08:17 < Serus> but you use it for like getting LAN access at home? 08:17 < DArqueBishop> Yes. 08:17 < Serus> but what does bridging actually do to my server's network? 08:17 < DArqueBishop> It depends on your use scenario. A lot of people use it for redirecting network traffic. I've never had that use scenario. 08:17 < Serus> will it keep the actual WAN IP? 08:18 < Serus> I can't have my server go "offline" 08:18 < BtbN> There is no difference between tun and tap in that regard. 08:18 < BtbN> tap operates on layer 2, tun on layer 3. tap is a lot more error-prone and inferior in terms of performance. 08:18 < Serus> with bridging? or? 08:19 < BtbN> So unless you need layer 2 to be tunneled, there is no reason to use tap. 08:19 < Serus> I think I need layer2 for upnp, but I'm not completely sure 08:20 < omgs> BtbN: isn't bridging a reason to use tap? 08:20 < BtbN> you can't brigde tun, no. 08:21 < BtbN> But there is no reason to use a bridge for what you intend to do. 08:21 < omgs> Well, take that I intend to manage many client networks (servers), each with its own different subnet. 08:22 < omgs> Wouldn't that be a reason to use bridging? 08:22 < DArqueBishop> omgs: no. 08:22 < DArqueBishop> Serus: this may be a stupid question, but do you have upnpd running on your server? 08:23 < Serus> yeah, I have miniupnpd running 08:23 < Serus> it also shows up when I list iptables rules 08:24 < omgs> DArqueBishop: well, the routhing table and the routes in the tun devices should be chosen carefully in order to not conflict, but with bridging this problem doesn't exist, right? 08:24 < BtbN> There is no need to set any routes on the server. Just enable ip forwarding. 08:24 < omgs> I mean, you only have to take care of the remote lans to not conflict 08:25 < omgs> Well, I'm saying this from the client side, my computer 08:25 < DArqueBishop> omgs: you can just set a unique VPN subnet for each client site. 08:26 < omgs> So, in case I have to connect simultaneously to several vpns, I don't have to worry about "local" (10.x) addresses 08:26 < DArqueBishop> omgs, considering how many different /24 subnets you can create in 10.0.0.0/8, I don't think that's going to be an issue. :-) 08:28 < omgs> Well, at this time, remote networks are 192.168.X.y/24, taking care of "X" 08:28 < omgs> If I ever reach over 200 subnets, I'll start to worry, because usually there aren't large subnets 08:29 < omgs> Anyway, I can use tun for this to work and see what's the problem 08:30 < omgs> Theorically, I think that setting on the server push "route 192.168.52.0 255.255.255.0" should be enough, together with ip_forwarding, right? 08:32 < DArqueBishop> omgs, yes, and the router/gateway on the remote side should be configured to forward traffic for the VPN subnet to the VPN server. 08:35 < omgs> DArqueBishop: when you say "remote", you mean "server" or "the other side"? 08:43 < omgs> !paste 08:43 < DArqueBishop> omgs: yes. 08:43 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 09:07 < omgs> I have put the confs in https://gist.github.com/anonymous/3ef7fd6d4a2d50be0505 09:07 <@vpnHelper> Title: OPENVPN cant ping · GitHub (at gist.github.com) 09:16 < Serus> omgs: try adding to server.conf push "route gateway 192.168.52.0" 09:16 < Serus> also, what IP do you get on the client? 09:17 < Serus> er sorry 09:18 < omgs> Serus: I get ip, but I don't want /need it to be the default gateway 09:18 < Serus> push "route-gateway 192.168.52.0" 09:18 < Serus> yes, but you need a gateway to the server 09:18 < Serus> it gets used as extra gateway 09:20 < omgs> But I already have a route to that network, and I can reach the server, but not the replies 09:24 < omgs> Shouldn't the server be able to ping 10.0.52.6 via 10.0.52.X? 09:26 < Serus> try it 09:26 < Serus> try pinging 10.0.52.1 09:29 < omgs> From the client? 10:24 -!- Tenhi_ is now known as Tenhi 10:30 < Serus> omgs: yes 10:46 < Serus> DArqueBishop: when you did tap bridging, how did you set it up? 10:46 < Serus> I'm reading a guide on openvpn.net, but it assumes my IP is in the 192.168 range 10:47 < Serus> how does this work when my IP is a WAN IP? 11:04 < Serus> oh god damnit 11:04 < Serus> I locked myself out of my server 11:35 < wallbroken> hi guys 11:35 < wallbroken> i have a problem with my openvpn connect client 11:36 < wallbroken> it won't redirect traffic even if redirect-gateway is on 12:52 < Serus> openvpn connect client? 12:52 < Serus> like 12:52 < Serus> "OpenVPN GUI"? 12:57 < wallbroken> openvpn connect for ios 12:58 < wallbroken> https://itunes.apple.com/it/app/openvpn-connect/id590379981?mt=8 12:58 <@vpnHelper> Title: OpenVPN Connect sull'App Store (at itunes.apple.com) 13:01 < Serus> oh 13:01 < Serus> idk then 13:02 < DArqueBishop> wallbroken: 13:02 < DArqueBishop> !configs 13:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:03 < wallbroken> unfortunately is a third party server, so i can give you only the client config 13:04 < wallbroken> https://www.dropbox.com/s/vbua8lc1yo7wm4i/TunnelBear%20Italy.ovpn?dl=0 13:05 < DArqueBishop> In that case, you'll need to contact them for support. 13:05 < DArqueBishop> !both 13:05 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 13:06 < wallbroken> there is something wrong in that config? 13:07 < DArqueBishop> Well, for one thing, I wouldn't have included the cert and private key when pasting it. 13:08 < DArqueBishop> Who provided you with the config file? 13:09 < wallbroken> does not care, they are public on the service provider site 13:11 < DArqueBishop> I don't see a problem with it. 13:11 < DArqueBishop> I would contact the VPN provider and request assistance from them. 14:48 < wallbroken> "client" directive implies pull settings from server? 15:03 < Serus> DArqueBishop: you here? 15:03 < Serus> wallbroken: no 15:03 < Serus> it implies that you're a client 15:04 < Serus> and you can optionally receive settings from the server 15:04 < wallbroken> to receive settings from the server, i need to add "pull"? 15:04 < Serus> everything with push in your server config file will be sent to the client 15:04 < Serus> your client will receive it automatically 15:05 < DArqueBishop> Serus: he doesn't control the server. 15:05 < Serus> ah 15:05 < Serus> I needed you 15:06 < Serus> I finally succeeded to get the bridge working 15:06 < Serus> with lots of server reboots >_> 15:06 < Serus> but how does server-bridge work? 15:06 < Serus> all the google results go from 192.168.x.x 15:06 < DArqueBishop> I'm not the best person to ask. I've not used bridging in over a decade. 15:07 < Serus> while my server IP is in the 5.9.x.x range 15:07 < Serus> it's NOT a LAN IP 15:08 < wallbroken> DArqueBishop, i contacted support of the openvpn via twitter 15:08 < wallbroken> and they tested it's config 15:08 < wallbroken> and it's all ok on a PC 15:08 < wallbroken> and they are right 15:08 < wallbroken> the problem is only on my openvpn connect app 15:09 < wallbroken> but it's specifical about that provider 15:09 < wallbroken> with the others, it's all ok 15:09 < wallbroken> can I paste you the log of the app? 15:09 < Serus> you should tell them to try it with openvpn connect 15:09 < Serus> sounds like an issue on their end 15:09 < Serus> if other providers work fine with openvpn connect 15:13 < wallbroken> they told that they cannot test for every client 15:13 < Serus> :/ 15:14 < Serus> is openvpn connect the only iphone/ipad client? 15:15 < wallbroken> yes 15:16 < wallbroken> as i said, it works, but with specific provider, redirecting of traffic does not work 15:16 < Serus> then tell them that it is pretty much necessary to test openvpn connect to support iphone/ipad 15:17 < Serus> and they improve their service as a result 15:17 < DArqueBishop> Especially considering OpenVPN Connect is the official client for iOS. 15:17 < wallbroken> the problem is that the provider has his own app for ios 15:18 < wallbroken> i think they will suggest to use it 15:18 < wallbroken> https://www.tunnelbear.com/ 15:18 <@vpnHelper> Title: TunnelBear: Secure VPN Service (at www.tunnelbear.com) 15:18 < wallbroken> this is the provider 15:45 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 15:45 < wallbroken> this is the log file 15:47 < Serus> how can I add an extra internal ip and route it to my primary IP? 15:49 < wallbroken> Raise Keyboard — When ON, the app will try to raise the iOS soft keyboard whenever an input field is selected. 15:50 < wallbroken> stupid a lot 16:16 < mike_papa> Hello. I did set up openvpn server on dd-wrt router some time ago. Now, not only I do not have that system I used to create keys and certificates, but I don't even have that computer anymore. Is there any way to use information from server to create new user's keys on new computer (meaning one that was not used for that before)? 16:18 < mike_papa> I was trying to look on google for things like generating openvpn keys outside of server, but I had no luck. Millions of tutorials describing the same - how to create new certificates, and everything. But I just need new user. Not everything. 16:19 < mike_papa> Does thing I'm looking for has any particular name? This could help digging google. 16:19 < mike_papa> And docs. 16:29 < PhrozenByte> Hi, is it a known issue that a client's status file mixes up read and write statistics? Concretely, incoming traffic increases "TUN/TAP write bytes" and "TCP/UDP read bytes". Or is there a deeper meaning I can't see? 17:41 < wallbroken> is there a way to override a directive given by the server using the local one? 17:51 < rommy> exit 18:05 < Serus> I am so done with openvpn 18:05 < Serus> I don't understand anything of this 18:11 < omgs> I have put the confs in https://gist.github.com/anonymous/3ef7fd6d4a2d50be0505 18:11 <@vpnHelper> Title: OPENVPN cant ping · GitHub (at gist.github.com) 18:18 < Neighbour> omgs: do a tcpdump on the target network interface (not tun0, but wherever the IP you're pinging is) and verify that the pings are actually leaving the openvpn server 18:19 < Neighbour> and take note what the source IP is in those packets 18:20 < Neighbour> then check if the target host is able to reach the source IP (routing, NAT, etc), and fix this if it is not able to 18:31 < Amnesia> hi question, does the admin user have a default password ? 18:32 < subzero79> Amnesia, are you talking about openvpn or openvpnAS? 18:32 < Amnesia> openvpn 18:33 < subzero79> don't follow then 18:34 < Amnesia> owait 18:34 < Amnesia> sorry 18:34 < Amnesia> I am actually talking 'bout the webinterface here 18:34 < Amnesia> XD 18:51 < subzero79> Amnesia, what webinterface? 18:54 < subzero79> !AS 18:54 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 19:12 < omgs> Neighbour: the ping doesn't reach the iface with the address 19:13 < omgs> The iface is vmbr1, i.e, a bridge. May it be related when using tun instead of tap? 20:47 < k2gremlin> Hello all, I am wanting to use OpenVPN to connect two remote networks. Both sides will be using a headless Ubuntu Server to the VPN connection. When I installed the latest OpenVPN, I see that a GUI has been implemented. If there anyway to make one of the headless servers a client to connect to the the other one as a server? 20:47 < k2gremlin> By GUI I mean web interface 22:31 -!- luckman212 is now known as luckman212_ 22:32 -!- luckman212_ is now known as luckman212__ 22:32 -!- luckman212__ is now known as luckman212_phone --- Day changed Sat Feb 06 2016 06:01 < PhrozenByte> Hi, is it a known issue that a client's status file mixes up read and write statistics? Concretely, incoming traffic increases "TUN/TAP write bytes" and "TCP/UDP read bytes". Or is there a deeper meaning I can't see? 06:27 < ravegen> My client can connect to server and has internet connection on wired connection. But if i am on mobile 3g,the client is connected but no internet. 06:30 < gameid> !welcome 06:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:30 < gameid> !goal 06:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:35 < ravegen> (ravegen) My client can connect to server and has internet connection on wired connection. But if i am on mobile 3g,the client is connected but no internet. 07:08 < dbech> Hey guys, know if the inbuilt VPN service in windows 10 will work with openVPN? 08:21 < skyroveRR> ping 08:30 < skyroveRR> I'm trying to compile and statically link openvpn 2.3.10 for ARM and I'm using the following configure/make options to compile: http://pktsurf.in/files/compile.txt ; however I get this output: http://pktsurf.in/files/log.txt ... any ideas? 09:32 < SAKUJ0> Hey guys. Any recommendations on how to deal with PKI on small companies with 1-20 people? Right now I just use easy-rsa and generate an ovpn by hand and throw it on a USB stick 09:33 < SAKUJ0> I was wondering if there is a nice and clean way to have non CLI users generate client ovpn configurations 10:18 < dbech> Heya, I'm trying to connect to my VPN server using the GUI and I keep getting this error when trying to conenct "Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass Use --help for more information." 10:21 < dbech> here's my config http://pastebin.com/EpgbR5DN 12:06 < LanDi> hey guys, I want to create an openvpn server on my banana pi... but I want to know if I will be able to access it from abroad or not, cause I don't know it my ISP allow me to access my machine remotely, how can I check that before do all the openvpn stuff? 12:11 < wallbroken> i don't think your ISP does packet inspection. if your port is reachable from the outside, you can test it with netcat, but first of all you need to ensure that you are not behind NAT 12:12 < LanDi> wallbroken, I am... cause my router is connected to another router 12:13 < wallbroken> so you are behind two nat. and you need to forward port on two routers 12:14 < LanDi> wallbroken, what if I put my router as a bridge and set my ip to a static ip? 12:15 < wallbroken> bridge between what? 12:15 < wallbroken> you said that you have 2 router 12:16 < LanDi> actually the internet come from my friend's apartment... so, his router does NAT and I have connected my router to his using a ethernet cable 12:17 < wallbroken> you just need to forward the port two times, that's all 12:18 < LanDi> hmmm, 12:19 < LanDi> wallbroken, don't I need to disable nat on his router and mine? 12:21 < wallbroken> no 12:22 < LanDi> wallbroken, I have opened the 32976 tcp port... how can I check if it's rechable from outside using netcat? 12:23 < LanDi> (sorry for asking noob questions) 12:23 < wallbroken> start netcat on the server in server mode specifiyng the port 12:24 < wallbroken> then you need another connection where to start netcat in client mode connecting to the router's public ip on that specified port 12:24 < LanDi> wallbroken, but as I said before, I didn't create the vpn server yet... should I create first? 12:24 < LanDi> :( 12:24 < wallbroken> no 12:25 < wallbroken> now you only need to check if the port is forwarded properly 12:25 < LanDi> wallbroken, can I act as a server and you as a client just form testing? 12:25 < LanDi> for* 12:26 < wallbroken> ok 12:27 < LanDi> wallbroken, I did netcat -l 32976 12:30 < LanDi> now how can I shou you my ip? 12:30 < LanDi> show* 12:34 < wallbroken> ok 12:42 < LanDi> wallbroken, are oyou there? 12:42 < wallbroken> yes 13:31 < thinknow> Hi, why when i use openvpn i still cant go to sites that is banned like piratebay? And i see now even the ip got showed here at irc? How can this happen? 13:32 < thinknow> i am used to linux, but now use windows, i know in ubuntu i had to change nameservers 13:32 < thinknow> but how can i do that in windows a proper way? 13:32 < thinknow> if that could be the problem? 13:32 < ikonia> why would using a VPN allow you to blocked sites ? 13:33 < ikonia> (or why would you think it would) 13:33 < thinknow> because it always do 13:33 < hiya> thinknow, dnsleaktest.com 13:33 < hiya> dnsleaks.com 13:33 < thinknow> since i use an ip that is not mine 13:34 < thinknow> and it is my dns that blocks it 13:34 < ikonia> I don't understand 13:34 < ikonia> do you control the other VPN ? 13:34 < thinknow> or not my dns but my internet provider 13:34 < thinknow> the vpn is not blocked from the sites 13:34 < thinknow> it works fine with ubuntu 13:34 < hiya> thinknow, but what DNS are you using? 13:34 < ikonia> a.) you need to route down the VPN connection all traffic 13:35 < ikonia> b.) you can't just setup a random vpn and expect it to be able to bypass things 13:35 < thinknow> it says the vpn the openvpn gui takes care of the dns when i start it up 13:35 < hiya> thinknow, traceroute youtube.com 13:35 < hiya> does it go via your server IP? 13:38 < thinknow> doesnt look like it 13:38 < thinknow> it seems like the vpn says it works, but just does not 13:38 < thinknow> i can only see my dsl providers ip's 13:40 < thinknow> how can i change my nameservers in windows real time? 13:43 < ikonia> why do you think Dns is the problem ? 13:43 < ikonia> isn't the problem you are not routing out of your VPN 13:44 < thinknow> because. before i always had to change nameservers manually when i connected to vpn(in ubuntu) for it to work 13:44 < ikonia> a name server is a name server 13:44 < ikonia> your isp will offer host = x.x.x.x a different one will offer host = x.x.x.x 13:44 < ikonia> exactly the same 13:44 < thinknow> if i did not, i just used my regular ip and the vpn did not work 13:44 < ikonia> why does dns matter ? 13:44 < ikonia> surely what matters is routing your traffic out of the VPN 13:45 < thinknow> i had to change from 127.0.0.1 to either googles 8.8.8.8 or another one 13:45 < ikonia> you didn't have to change that 13:45 < ikonia> thats' just your lack of understanding of how ubuntu and dnsmasq works 13:45 < ikonia> again, I don't understand why you think DNS matters 13:46 < ikonia> what matters is routing your traffic out of the vpn 13:46 < thinknow> in ubuntu so, my vpn provider told me so, and i have used them in many years. always had to do that 13:46 < thinknow> in linux 13:46 < thinknow> but it windows that should not be a problem 13:46 < thinknow> but ok 13:46 < ikonia> then your vpn provider doesn't understand how dnsmasq works 13:46 < thinknow> it worked fine when i did it though 13:47 < thinknow> and that was to connect to the vpn properly. not to hide me more or so 13:47 < thinknow> but ok. how can i route my traffic trough the vpn then? 13:47 < ikonia> again,I don't understand why you care about dns 13:47 < ikonia> ever dns server should offer the same host->ip mapping 13:47 < ikonia> that's the point of dns 13:48 < thinknow> since if i use my dsl providers dns i also get a dns leak 13:48 < thinknow> dont i? 13:48 < ikonia> a dns leak ? 13:48 < thinknow> yes, "dns leak" so the vpn get a bit transparent 13:49 < ikonia> gets a bit transparent ? 13:49 < ikonia> I have no idea what you are talking about 13:49 < thinknow> yes yo do, you just dont like the nooby way i am saying it 13:49 < ikonia> no, I realy don't 13:49 < ikonia> as I've said 4 - 5 times, I have no idea why you care about your dns servers 13:50 < thinknow> so what should i do then? 13:50 < ikonia> and I don't understand why you are not trying to route your traffic down the vpn 13:50 < ikonia> and then you've said things like dns leak and the vpn being a bit transparent, which I have no idea what you mean 13:50 < thinknow> because i have no idea how, 13:51 < thinknow> i mean that it is possible to see my ip even though i was connected to my vpn 13:51 < ikonia> because it doesn't look like you are routing down the vpn 13:51 < thinknow> but when i changed my nameserver from 127.0.0.1 that is standard to the nameservers i got from them. it worked perfect 13:52 < thinknow> yes, just explaining what i meant 13:52 < ikonia> forget that 13:52 < thinknow> but how to rout it trough my vpn in win then? 13:52 < ikonia> ubuntu uses dnsmasq which runs a local name server (127.0.0.1) that route dns traffic to whatever you tell it to 13:52 < ikonia> so you should not change your name server from 127.0.0.1 13:52 < thinknow> maybe it just is something with their setup? 13:52 < ikonia> nope 13:53 < thinknow> at least they tell everyone to do it 13:53 < thinknow> when using ubuntu 13:53 < ikonia> doens't make it right 13:53 < thinknow> i havent had to do it with other vpn providers 13:53 < thinknow> but to get that one working i have to 13:53 < ikonia> it means they don't know how to support the distro they are giving people help on 13:53 < thinknow> just how it is, maybe i could have done something else with the same result, but it works 13:54 < thinknow> but now i use windows 13:54 < thinknow> and i dont know what i should do to route my traffic trough the vpn 13:54 < ikonia> look at your routes 13:54 < ikonia> you want the default route to go out of the vpn 13:54 < thinknow> the vpn says it is connected(i use the openvpn Gui v8 for win 13:55 < ikonia> or it will go out of your gateway which is your ISP 13:58 < thinknow> where do i found my route in windows again? i go to adapter settings, but cant find the routing table or what is was called 13:58 < thinknow> sorry you have to help me from scratch, havent used windows since win2k 13:59 < ikonia> I'm not a windows users, 13:59 < ikonia> user 13:59 < thinknow> ok but do you know? 13:59 < thinknow> before i mean it was at the same place as dns++ 13:59 < thinknow> but now i cant find it 13:59 < ikonia> you could open a command prompt and use the route command 14:01 < thinknow> yeah ok 14:03 < thinknow> i dont have a clue what to type, i am at route ADD 14:04 < thinknow> should i type my vpns host as destination, ? and what gateway? :p 14:05 < thinknow> or metric(as i dont know either) 14:07 < ikonia> so you need a route to the VPN via your ISP, and then you need the default route to be the VPN 14:10 < thinknow> i really have no idea how to do it, think have to find a guide 14:10 < thinknow> because i dont what to type do this, i know what i have to do. but not how 14:12 < thinknow> is metric the route via my isp? 14:13 < thinknow> i have this example i have to change: 14:13 < thinknow> > route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2 14:13 < thinknow> destination^ ^mask ^gateway metric^ ^ 14:13 < omgs> thinknow: can you browse the internet correctly when you're not connected to your vpn? 14:13 < thinknow> yes i can 14:13 < majuscule> I'm having trouble getting my .opvn conf imported on android. it is complaining that it cann't read the the file. "file is binary" 14:13 < thinknow> also when connected 14:13 < majuscule> it is a plain ASCII file 14:13 < omgs> So, when you connect to your vpn, you have to set the vpn to NOT to be the default route 14:14 < thinknow> ok, but where do i find which adresses to use? 14:15 < omgs> If I read correctly, your problem is that some internet sites are "blocked" when you connect to your vpn using ubuntu, but not when using windows, right? 14:16 < thinknow> as well as my ip shows, like here when i connected or irc right now, my real ip appeared 14:16 < thinknow> that is not good 14:17 < thinknow> on irc* 14:18 < thinknow> could it be because i havent opened the openvpn gui as admin? 14:18 < ikonia> it's showing your IP because you're not routing out of your VPN 14:18 < thinknow> yes i know, but i dont understand why it suddenly doenst route out of my vpn 14:19 < omgs> thinknow: can you please confirm my last question? 14:19 < thinknow> and i have no idea how to route it the right way 14:19 < thinknow> but yes. piratebay is blocked, i dont have any other sites that can be blocked that i use 14:19 < thinknow> no other way around 14:19 < thinknow> ubuntu works fine, it is windows where it does not work 14:20 < omgs> Ah, ok 14:20 < omgs> What is your windows openvpn client? 14:20 < thinknow> but in ubuntu i always have to change my nameserver(you know sudo /etc/resolv.conf to the config i need, and then it works fine) 14:21 < omgs> Do you need dns for any site in the vpn, or is it just to mask your address? 14:22 < ikonia> thinknow: forget your ubuntu dns servers - you are making a mess by keep referencing this 14:22 < ikonia> you do not have to change them 14:22 < thinknow> About: OpenVPn GUI v8 - A windows GUI for openVPN (http://openvpn.se) 14:22 <@vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 14:23 < omgs> thinknow: can you export your config in ubuntu to windows? I think there's a setting you're overlooking 14:23 < Neighbour> omgs: if the ping doesn't exit the openvpn server on the nic the target IP is connected to, then it is either not forwarding (cat /proc/sys/net/ipv4/ip_forward) which you already checked, or there's a firewall rule blocking it 14:23 < thinknow> just tell you, since that was my problem before when i started using it, then the admins told me to just change them when i connect to internet, and it will work. and it did, and have done the last 3-4 years, but ok forget about this now. it is windows that is the problem, ubuntu i get it to work in 2min 14:24 < thinknow> omgs: i can try 14:25 < thinknow> omgs: when i think about it, it is just the same files that i use, so it is the config 14:25 < omgs> thinknow: at least compare them to see the differences, if any 14:25 < thinknow> omgs: only thing, after i found out that it didnt work properly, i tried to write in the config to also do udp 14:26 < thinknow> or opposite, ok i will check 14:27 < omgs> thinknow: at least in unbuntu network-manager (if you use it or try to use it), you can set your own network settings, overriding settings from the server. 14:28 < omgs> You can try something that works without any changes, and then, copy that config 14:29 < omgs> Neighbour: sorry, I didn't want to mix to converstations 14:29 < omgs> *two* 14:29 < Neighbour> np 14:32 < thinknow> omgs: i tried to compare with my alternative server, it either vpn1 or vpn2 so i compared the config, and the only thing that is not the same is that the config i use now are missing comp-lzo 14:32 < thinknow> could that be somethingÆ? 14:33 < thinknow> no i see now when i compare with the orignal config file it is the same 14:34 < omgs> thinknow: I don't think so. Your problem seems to be routing, so it would be good to show your routes in both win and linux, because according to what you say, there are different behaviours in both OS 14:36 < omgs> Neighbour: "ifconfig tun0" on server shows "RX bytes:73332 (71.6 KiB) TX bytes:0 (0.0 B)" 14:41 < omgs> I mean: I'm not sure if iptables was blocking outgoing traffic there could be "TX:0" 14:43 < Neighbour> uhm, that's not what i meant 14:43 < Neighbour> from the client, you're pinging 192.168.52.1 14:43 < Neighbour> you've verified that the pings enter the openvpn server on the tun0-interface 14:43 < Neighbour> using tcpdump 14:44 < omgs> Yes, I've verified that 14:44 < Neighbour> ok, so where is the 192.168.52.1 ip located? 14:44 < Neighbour> is that the server itself, or another client somewhere? 14:44 < Neighbour> and how is that client connected to the server? 14:45 < omgs> It's a bridged network, where I want to access, the reason of the vpn itself 14:46 < omgs> The server has an interface bridged to that network, and the own ip for that network (192.168.52.0/24) is .1 14:46 < omgs> I can ping any host in the network from the server 14:47 < Neighbour> if you want to use the openvpn interface in a bridge, try using tap mode for openvpn instead of tun 14:47 < omgs> But maybe I have to do it for the tun0 interface, it's not nonsense 14:48 < omgs> Neighbour: I tried that at first, but got the same results 14:48 < omgs> Do you think both (tun and tap) should work, if correctly set up? 14:48 < omgs> Just as a concept 14:49 < Neighbour> not sure about tun, but tap should work 14:49 < Neighbour> but why are you using a bridge in the first place? 14:50 < omgs> Well, on the server I'm using openvz and there are some containers, having each its own private ip address in that network, regardless any other networking 14:51 < Neighbour> and all those containers are bridged? 14:51 < omgs> So, I had to set the virtual interface bridged to this one for the private network 14:52 < omgs> From their guest point of view, they use eth1, but they are bridged by using vethX.Y 14:52 < omgs> That's the only way they use the same network 14:52 < Neighbour> i'm not sure why you would need to add tun0 to the bridge still 14:52 < Neighbour> you can still forward/NAT between tun0 and the bridge 14:53 < omgs> No, it's a discussion I had here just in order to test why tap wasn't working, and I tried tun 14:58 < omgs> Neighbour: well, I have just explicitily allowed ingoing and outgoing to tun0 and IT WORKS!!! 14:59 < omgs> So I guess I need an extra script on the server to make sure that makes sure that there's a rule to allow this traffic, instead of blocking it (by default OUTPUT is not allowed) 15:09 < AndChat706484> Trying to build openvpn-2.3.10 15:09 < AndChat706484> Compilation errors popping up 15:10 < AndChat706484> Can anyone help? 15:24 < omgs> Neighbour: I'm trying now with tap, but it's harder 15:25 < omgs> First, tap0 isn't up (but it gets incoming traffic) 15:25 < omgs> Oh, I can ssh, but can't ping 15:26 < omgs> Is there any smart way to put iptables rules upon openvpn startup? 15:46 < Neighbour> yes, there is, but i don't know it by heart :) 15:46 < Neighbour> and well done in figuring out what it was :) 15:53 < omgs> Neighbour: now, I'm trying to setup bridge with tap, but I'm having some problem 15:54 < omgs> I've opened (I think) all the incoming, forward and output traffic in iptables for tap0, but tap0 isn't "really", though "ifconfig tap0" shows RX:XXXX and TX:0 15:54 < omgs> itpables -L -n -v shows tap0 with 0 traffic in all rules 17:25 < Neighbour> omgs: and I suppose tcpdump on tap0 doesn't show any traffic either? 17:26 < omgs> Neighbour: the problem I'm right now is that tun0 didn't really work, just for the server, not for the lan 17:27 < omgs> Now I'm looking for adding tun0 to the network, but it's a bridge, so I think I have to go back to tap 17:39 < Neighbour> if the tun worked just for the server, then that means that you didn't nat the traffic from the tunnel 17:39 < Neighbour> and the host you're pinging from the openvpn client doesn't have a route back to the client 17:40 < Neighbour> (well, that is one possibility) 17:57 < omgs> Neighbour: well, I could ping just the server, not the network, so my assumption was wrong 17:57 < omgs> Now I'm dealing with tap and I've setup scripts so I add tap0 to the bridge on startup 17:58 < omgs> I have a rule to allow all traffic to the bridge interface, and that's why all hosts can see among themselves 17:59 < omgs> But I'm still having the same problem 18:04 < omgs> Neighbour: I think now it works!!! (still checking) 18:05 < omgs> By the moment, I just needed to put the interface up and add it to the bridge 18:05 < omgs> I was just adding to the bridge 18:05 < omgs> Why doesn't tap automatically put itself up at startup? 18:10 < Neighbour> i don't know 18:10 < Neighbour> zzz 18:13 < omgs> Neighbour: thank you, sleep well 18:13 < _FBi> !seen krzee 18:13 <@vpnHelper> krzee was last seen in #openvpn 5 weeks, 2 days, 19 hours, 45 minutes, and 12 seconds ago: !botsnack 19:28 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 19:28 < wallbroken> why are there two routes? 19:32 < k2gremlin> Hello all, I am trying to setup a remote server with a VPN connection. I am testing the VPN connection with my PC over my phone hotspot. When I setup the server with server-bridge 192.168.2.25 255.255.255.0 192.168.2.101 192.168.2.102, OpenVPN on the PC connects and can ping 192.168.2.25, However, it cannot ping anything else on the 192.168.2.x network. If I try to setup a server bridge with 192.168.3.1 255.255.255.0 19:32 < k2gremlin> 192.168.3.2 192.168.3.3, it connects but I can't ping anything. Not even the 192.168.3.1 19:37 < omgs> k2gremlin: I have experiencied the same and the solution is a two step: 19:37 < omgs> 1) ifconfig tap0 up 19:37 < omgs> 2) brctl addif tap0 19:37 < omgs> k2gremlin: please try and tell me 19:38 < k2gremlin> bridge being the interface I am bridged to being eth0 correct? 19:39 < omgs> Do you have an interface in the lan, because if not, I can't understand bridging 19:39 < omgs> do "brctl show" 19:39 < k2gremlin> This server is connected to the lan on Eth0 19:39 < k2gremlin> I have bridge setup in /etc/network/interfaces 19:40 < k2gremlin> br0 has bridge_ports eth0 19:40 < omgs> do "brctl show" 19:41 < k2gremlin> bridge name br0 has an ID STP enabled=no Interfaces lists Eth0 and Tap0 19:41 < omgs> Are you now connected to the vpn? 19:42 < omgs> If not, please do it 19:43 < k2gremlin> I am connected. Route print on the windows box shows that the pushed route is there. 19:44 < omgs> Ok, I think the problem is on the server 19:44 < omgs> do "ifconfig tap0 up", because by default, it's not up, and try pinging 19:45 < k2gremlin> ip addr shows the tap interface up with master of br0. 19:46 < k2gremlin> I can ping 2.25 but I cannot ping 2.1 which is the gateway for this subnet 19:46 < omgs> don't believe tap0 is up, please do it 19:47 < omgs> If not, then make sure you can forward from tap0 to br0 19:47 < k2gremlin> I did 19:47 < omgs> First, make sure forwarding is enabled by "cat /proc/sys/net/ipv4/ip_forward" 19:47 < k2gremlin> I got a 0 returned.. 19:47 < k2gremlin> so it's not there? 19:48 < k2gremlin> or not turned on 19:48 < omgs> Then it's not enabled 19:48 < omgs> do "echo 1>/proc/sys/net/ipv4/ip_forward" 19:48 < omgs> and check again 19:48 < k2gremlin> even with sudo.. permission denied.. 19:48 < k2gremlin> to enter that commands 19:49 < omgs> you need root for that 19:49 < k2gremlin> ok... says invalid argument now 19:50 < omgs> you can also edit /etc/sysctl.conf via sudo 19:50 < k2gremlin> supposed to be a space after ">" ? 19:50 < omgs> yes 19:50 < omgs> and before, too 19:50 < k2gremlin> yep got it.. trying 19:51 < k2gremlin> still unreachable 19:51 < omgs> did you check with cat it's enabled? 19:51 < k2gremlin> yes returned "1" 19:51 < omgs> to make it persistent, you need to edit /etc/sysctl.conf 19:51 < k2gremlin> sudo vi /etc/sysctl.conf 19:51 < k2gremlin> err 19:51 < k2gremlin> wrong screen lmfao 19:52 < omgs> But right now, the problem is that you can't forward, surely iptables 19:52 < omgs> Do you have rules for that? 19:52 < k2gremlin> Ill check but they should all be accept any. 19:52 < omgs> Do you deny forwarding by default? 19:53 < k2gremlin> this sysctl file, I add "net.ipv4.ip_forward = 1" correct? 19:53 < k2gremlin> that I don't know 19:53 < omgs> Usually you just have to uncomment a line, but yes, that's the result 19:54 < k2gremlin> Ok, and this may mean something. The client pulled a 192.168.2.101 IP. The server cannot ping it. 19:54 < andre4s> hey guys, is it possible with a tun openvpn to access the whole subnet behind the server? 19:54 < k2gremlin> client can ping server.. but server cannot ping client. 19:55 < omgs> Try restarting the daemons 19:55 < k2gremlin> omgs, would it be eaiser to restart the entire server? 19:55 < omgs> k2gremlin: of course not 19:56 < omgs> Just do "/etc/init.d/openvpn restart" 19:56 < omgs> andre4s: do you have an interface on the server directly attached to that network (i.e. with an ip of the subnet) 19:57 < omgs> k2gremlin: what's the real ip of the server in that network? 19:57 < k2gremlin> 192.168.2.25 19:57 < k2gremlin> thats what is configured on the br0 as static 19:58 < omgs> Did you setup that ip in the bridge-server directive? 19:58 < k2gremlin> So the server still cannot ping the client. Right now the client has an open SSH connection to the server. How is that possible? 19:58 < k2gremlin> Yes 19:58 < andre4s> omgs, yeah, it is configured and i am able to ping the vpn server device of the local subnet too 19:58 < omgs> Did you see any warnings when starting? 19:58 < andre4s> but i am not able to ping an ip of the local subnet? 19:59 < omgs> andre4s: I have that same problem with tun, but not with tap 19:59 < k2gremlin> omgs, "WARNING: No server certificate verification method has been enabled." 19:59 < andre4s> do i need to set a bridge to conenct the local subnet 19:59 < k2gremlin> andre4s, that is what I am working on right now 19:59 < andre4s> omgs, same here! ;) 19:59 < k2gremlin> with tap, I can ping the server but nothing else on the lan 19:59 < andre4s> hehe 19:59 < omgs> I don't think it's mandatory, but it's the only way I've been able to make it work 20:00 < omgs> I mean, with tap 20:00 < k2gremlin> omgs, other then the verification warning, no other warnings in the log 20:00 < andre4s> i have a tap openvpn running too and its working like charm 20:00 < andre4s> but one of my clients does not support tap devices... 20:00 < omgs> Well, as long as you're connected, the certs aren't an issue 20:00 < k2gremlin> omgs, Ill pastebin my interface config and my server.conf ok? 20:01 < omgs> Do you have "client-to-client", for instance? 20:01 < andre4s> me? yes! but its only that the vpn client can comunicate together, right? 20:01 < omgs> k2gremlin: make sure the steps for adding the iface are in that order 20:02 < k2gremlin> http://pastebin.com/TLJdqyxS 20:02 < omgs> When you restart the vpn, the tap goes down, and it may be out of the bridge, unless you setup something 20:04 < k2gremlin> would I still be able to connect if the tap was down? 20:05 < omgs> You can connect, but not reach the network 20:05 < omgs> That's part of my headache 20:06 < k2gremlin> got it! 20:06 < omgs> Is tap0 part of the bridge right now? 20:06 < k2gremlin> Promisc mode on my vm interface 20:06 < omgs> I don't have promisc enabled 20:06 < k2gremlin> It's a VM 20:07 < andre4s> do i have to configure a bridge on my tun too? 20:07 < k2gremlin> on ESXi. 20:07 < omgs> andre4s: you can't use bridge with tun, it has to be tap 20:07 < k2gremlin> I created a vm network with promisc on and moved the OpenVPN server interface to the new vm interface and it worked 20:07 < k2gremlin> let me move it back to an vm network without promisc 20:08 < andre4s> but if i bridge the interface by myself that it connects the two devices should solve my problem, right? 20:08 < k2gremlin> omgs, Yea sure as crap.. it stopped working 20:08 < k2gremlin> Any idea why the VM network needs promisc? 20:09 < omgs> Do you use a vm as server? Do you have a real server in the same network? 20:09 < k2gremlin> So my setup is an R710. I have Ubuntu as a VM on ESXi. Openvpn is on that Ubuntu 20:11 < omgs> mmm there might be some setting in virtual center to explain that 20:11 < k2gremlin> Yea something to do with the virtual switch 20:12 < k2gremlin> So on vSwitch0 I have a regular network with all of my servers. I have a second network with promisc turned on. I move the interface for the Ubuntu server over to the second vm network and it started working right away. 20:12 < omgs> I'm thinking about tagging the traffic in the vlan, not sure 20:12 < k2gremlin> I moved the Ubuntu interface back to my regular vm network and it stopped 20:13 < k2gremlin> They are all setup as VLAN None. However, on my breakout switch they are connected to, it tags them as vlan 100 20:15 < omgs> Is br0 tagged? 20:16 < omgs> Or the ethX? I take they shouldn't 20:17 < k2gremlin> omgs, sorry got booted when I re-enabled my PC nic lol 20:18 < wallbroken> very frustrating to ask to tunnelbear about an openvpn fail and they told me "we does not support ios client openvpn app" 20:23 < andre4s> looks much more easier than i thought! https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 20:23 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 20:23 < andre4s> nice explanation 20:36 < sweatsuit> i'm connecting to my openvpn server that's at my home, IPV4. I'm at a cafe with and IPV6 connection and my IP address seems to change. I can ssh into my home network, but www.whatismyip.com reports the cafe address. 20:37 < sweatsuit> what's confusing is www.ipchicken.com reports my home IP. 20:38 < sweatsuit> Is there extra configuration needed when connecting to IPV4 server from IPV6 connection 20:38 < sweatsuit> ? 21:20 < wallbroken> https://community.openvpn.net/openvpn/ticket/614 21:20 <@vpnHelper> Title: #614 (Connect on iOS 9: IPv4 routing doesn't work with dual-stack) – OpenVPN Community (at community.openvpn.net) 21:20 < wallbroken> update when? --- Day changed Sun Feb 07 2016 06:13 < Serus> Guys 06:13 < Serus> I solved my routing problems with videogames 06:13 < Serus> the solution is to use a different iptables rule 06:14 < Serus> instead of iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 06:15 < Serus> you should use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source *insert eth0 ip here* 06:15 < Serus> this will allow you to log in into games like league of legends 10:14 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 10:16 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 10:16 -!- mode/#openvpn [+o dazo_afk] by ChanServ 10:17 -!- dazo_afk is now known as dazo 14:05 < japhar81> can anyone shed some light on this: "awsVpc":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 39s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 14:05 < japhar81> trying to set up a tunnel in AWS, I've allowed all traffic between the two boxes 14:05 < japhar81> and I did ufw allow on 500 and 4500 14:06 < japhar81> not sure what i might be missing 14:15 <@Eugene> The first problem is you're asking for IPsec help in #openvpn. The second problem is you didn't wait for somebody to tell you that. 14:15 <@Eugene> !redirect 14:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:15 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:15 <@Eugene> sweatsuit ^ the flowchart is your friend 14:16 <@Eugene> If you want both IPv4 and IPv6 to flow through the tunnel then you'll need to configure both 14:16 <@Eugene> If you want to just do IPv4 then you'll need to disable your IPv6 14:17 <@Eugene> ipchicken only supports ipv4, so that's why you're seeing that. Try wtfismyip.com, which lists both(via JS magic) 14:22 < wallbroken> Eugene, i have this problem: https://community.openvpn.net/openvpn/ticket/614 14:22 <@vpnHelper> Title: #614 (Connect on iOS 9: IPv4 routing doesn't work with dual-stack) – OpenVPN Community (at community.openvpn.net) 14:23 <@Eugene> I don't own or know anything about iOS devices. Sorry. 14:23 < wallbroken> is there some developer who cares about it? 14:24 < wallbroken> looks like there is no support on that app 14:24 <@Eugene> #openvpn-devel would be the placce, but it'ss both a Weekend and a Sportsball holiday 14:24 <@Eugene> Connect is the non-free OpenVPN AS client; try submitting a support ticket to them using the AS subscription rights they'd be glad to sell you ;-) 14:25 <@Eugene> (I'm not a GPLite, there's just no avenue except that for support. sorry) 14:25 < wallbroken> ok thank you, but i use it with opensource profiles 14:26 < wallbroken> there aren't updates since 2014, i just want to know if the app is currently under development 14:26 <@Eugene> No clue 14:26 < wallbroken> the only one who knew something about it was novaflash, but looks like it's AFK since years 14:28 < wallbroken> i hope that the support to paying AS users is a little better, just because to free users is not existent 15:01 < SAKUJ0> hey there. i have a dedicated server and want to allow access only through VPN. I will have to set DNS records to 10.8.0.1 I suppose? 16:08 < japhar81> so I've set up the simplest possible config: http://pastebin.com/0rwBECm5 -- I'm trying to set up a tunnel between two sites 16:09 < japhar81> no errors that I can see, but I can't ping across.. and ip route shows nothing.. what am i missing? 17:02 < k2gremlin> Hello all, I am looking for some guidence on site to site openvpn connection. The OpenVPN would be connected on Ubuntu servers that are below the edge router/firewall. The goal I am trying for is to get both LAN's to be able to communicate. Anyone have an install guide I can go off of? 17:09 < SAKUJ0> What are the best practices for OpenVPN subnets? I figured if I have something rather specific (not one company with one big VPN network), I'd do better not occupying 10.8.0.0/24. I figured I'd choose a 10.8.N.0/24 with N rather high, so as to avoid collisions 17:10 < SAKUJ0> or can you say out of experience that changing the default network from 10.8.0.0/24 to something like 10.8.136.0/24 is stupid? 17:11 < SAKUJ0> Obviously the entire thought behind my question is that I might deploy multiple servers in the future which could have different subnets inside 10.8.0.0/16 21:20 < gotz> hello 21:21 < gotz> help 21:23 < gotz> can anyone will help in config .ovpn file to use ssh with open vpn and also its posible to block some connection while using openvpn connection on droid device 22:55 < k2gremlin> Hello all, having trouble pushing configs to a client. I want the client to iroute it's LAN so that the server side can reach the entire client LAN. In the server.conf I did client-config-dir /etc/openvpn/ccd/ and in that directory I made a file "client". That file has one line, iroute 192.168.2.0 255.255.255.0. Client connect fine and server can ping the clients 192.168.address but nothing else on that LAN 23:07 < Neighbour> is your server forwarding ipv4? (`cat /proc/sys/net/ipv4/ip_forward` to check, `echo 1 > /proc/sys/net/ipv4/ip_forward` to set) 23:07 < Neighbour> is your server NAT'ing traffic from the tunnel to your LAN? 23:07 < Neighbour> is your server's firewall allowing traffic from the tunneo to the LAN? 23:08 < Neighbour> do the clients on your LAN have a route back to the IP's your openvpn gives out to the clients? (i.e. a route for 192.168.2.0/24 to your openvpn server) 23:09 < Neighbour> if the clients have a route, you don't need to NAT traffic per se (since if you NAT the traffic, it will seem to come from your openvpn server and the return traffic will route just fine) --- Day changed Mon Feb 08 2016 06:30 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 06:40 < xmj> moin 06:41 < xmj> how do i get openvpn on tun devices to use a given IP for its "gateway" ? 06:41 < xmj> i've configured tun0 to be 'inet 10.2.0.1 10.2.0.2 mtu 1500 netmask 255.255.255.255', and now openvpn wants to serve stuff via 10.2.0.5 06:41 < xmj> which can't work, because it isn't allowed to actually use that IP. 06:46 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 06:46 -!- mode/#openvpn [+o dazo_afk] by ChanServ 06:47 -!- dazo_afk is now known as dazo 07:35 <@plaisthos> xmj: hm what route are you using? 07:35 <@plaisthos> or how do you specify routes? 07:35 <@plaisthos> normally openvpn will figure out the right gateway itself 07:36 < xmj> yeah the problem is that running openvpn in a jail, it's not allowed to actually do stuff to the route table and/or tun0 device 07:36 < xmj> guess the right way to answer that question is, i should add static routes. 07:36 <@plaisthos> xmj: if it not allowed to setup routes etc, it does not matter what openvpn wants to do anyway, right? :) 07:37 < xmj> well, `service openvpn restart` does mess with the existing tun0 config :-> 07:37 <@plaisthos> xmj: ifconfig-noexec, route-noexec iirc 07:37 < xmj> yup exactly 07:37 < xmj> even with that in the config :) 07:37 < xmj> so. on the host i have 07:38 < xmj> tun0: inet 10.2.0.5 --> 10.2.0.1 netmask 0xffffffff 07:39 < xmj> it would probably be really easy if i were to just setup openvpn outside of the jail 07:39 < xmj> buut 07:43 <@ecrist> wallbroken: this is the support channel. :) 07:43 <@ecrist> !admin 07:44 < wallbroken> yes i know 07:45 < wallbroken> could "NovaBear" be here? 07:45 < wallbroken> is some of the tunnelbear support service staff 07:46 < xmj> plaisthos: ok.. something fundamental 07:46 < xmj> when i set tun to "10.2.0.5 10.2.0.1", which IP is .. which ? 07:46 <@ecrist> !net30 07:46 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:47 <@ecrist> xmj: you should use topology subnet instead 07:47 <@plaisthos> xmj: first ip is your, second ip is the one of the server 07:47 < xmj> plaisthos: right, if i set tun0 on the server, do i 10.2.0.5 10.2.0.5 'both' ? 07:47 < wallbroken> ecrist, can I ask you the reason why tunnelbear pushes two routes directive when i connect to? 07:48 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 07:48 < wallbroken> you can see it here 07:49 < wallbroken> 4 [route] [17.0.0.0] [255.0.0.0] [net_gateway] and 10 [route] [172.18.10.1] 08:20 < adac> What do I need to set on the openvpn server config, so that the local internet connection does not also get routed via the VPN? 08:21 < adac> this is what I have set currently: https://gist.github.com/anonymous/73c7df63d5bd9121ba59 08:21 <@vpnHelper> Title: gist:73c7df63d5bd9121ba59 · GitHub (at gist.github.com) 08:26 < hiya> People can connect to my OpenVPN server but won't get internet? 08:28 < adac> hiya, I have the opposite problem 08:28 < adac> :D 08:28 < adac> I don't want to route all traffic trough the VPN 08:29 < DArqueBishop> adac: based on that server config, you should be fine. 08:29 < adac> DArqueBishop, weird. Maybe on my cleint side then I have something wrong? 08:30 < adac> could this be the case? 08:30 < DArqueBishop> It's possible. 08:30 < DArqueBishop> Could you pastebin your client config? 08:30 < adac> redirect-gateway def1 08:30 < adac> it is in the cleint config for some reason 08:30 < DArqueBishop> Yeah, that's your problem. 08:31 < adac> DArqueBishop, thanks a lot man! 08:31 < DArqueBishop> No problem. :-) 08:31 < adac> hiya, I guess you have to set what I have to remove :D 08:31 < hiya> adac, no no I got it 08:31 < hiya> it was DNS issue 08:31 < hiya> lol 08:32 < adac> oh ok good that you solved it! 08:39 <@ecrist> wallbroken: what two routes do you have questions about? 08:45 < adac> DArqueBishop, is there also an option that would supercede the cleint config on server side for the whole traffic not to be routed trough the VPN? 08:45 <@ecrist> the server is really what determines what gets routed or not 08:45 <@ecrist> if the server process isn't aware of a subnet needing routing, the openvpn process won't forward that subnet to the kernel 08:47 < adac> On my client config I had something like this: "redirect-gateway def1" which caused all traffic to be routed via openvpn. So what would be the command to deny this on server side? 08:51 <@ecrist> they're not denying it, per se, they're just not necessarily supporting it 08:52 <@ecrist> on the server side they would need to set up NAT from the VPN to the outside world, or provide real world-routable IPs to the VPN clients. 08:52 < adac> ok I see 09:03 < adac> I can use two vpn server to have some kind of a failsafe cluster if one is just going down. I heard I can set a flag so that two vpn server are listed in the client file 09:03 < adac> is this a good approach at all? At the first look it seemed to be good 09:21 < Poster> there are a few options there, you can list multiple servers in the client configuration which from what I recall will attempt connections in the order specified 09:22 < Poster> another option is to use a DNS based failover mechanism, but this is outside the scope of OpenVPN, but basically you would need some sort of health monitor to see if your target server system is up and running, if true, point vpn.yourdomain.com to it's IP address, if it fails, change the DNS record of vpn.yourdomain.com to some other address of a failover system 09:23 < Poster> you could also consider using OS type availability systems such as Linux-HA or (u)carp for clustering of server systems, understanding that something to that nature only covers a server failure and not a site (or Internet connection) failure 09:24 < adac> Poster, thanks for the option overview! 09:25 < adac> Poster, in the first case, do those two servers have the exact same configuration, right? 09:25 < Poster> not entirely, you'll want them to have certificates from the same CA 09:25 < Poster> but they can go other places 09:26 < Poster> for example if your organization has 2 buildings, vpn1.yourdomain.com can go to your main office, hand out client addresses in the 172.18.5.0/24 range, then have vpn2.yourdomain.com go to your secondary office and hand otu client addresses in the 172.18.10.0/24 range 09:27 < Poster> in theory in the above case, you would push routes to all of the company resources (assuming there was some type of link between buildings) 09:28 < Poster> I've used that method successfully at home where I have 2 Internet links, I try the faster link 1st, but if it's unavailable, it tries the slower link 09:29 < adac> I'm not so sure on how those two VPN's are connected. Maybe I need to do some more readings 09:29 < Poster> ok so let's back up, what did you have in mind for a "backup" or "failover" VPN system? 09:29 < adac> Initially I thought those two vpn vpn1 and vpn2 just simply have the exact same configuration 09:29 < Poster> are you wanting to provide redundancy for a server failure, Internet connection failure or some other site-wide failure? 09:30 < adac> Poster, actually I only wanted to have two vpn server. on two physical servers. when one is down the client can switch to the second one 09:30 < Poster> ok so that being true, you could probably just provide two server lines in the client configuration 09:31 < Poster> vpnserverA.yourdomain.com to the preferred system, vpnserverB.yourdomain.com to the secondary system 09:31 < adac> Poster, exactly that should work. I'm not so sure about if those two vpn server shoul/can have the exact same configuration 09:31 < Poster> this assumes they have either unique public IP addresses OR run on a unique port number 09:31 < Poster> the routing part may be tricky 09:32 < adac> Poster, also what happens if half of the connections run on vpn1 and the other on vpn2 09:34 < Poster> that is why I would suggest unique pool ranges 09:34 < Poster> so let's go down a hypothetical scenario 09:34 < Poster> vpnserverA has clients in the 172.18.5.0/24 subnet 09:35 < Poster> vpnserverB has clients in the 172.18.6.0/24 subnet 09:35 < Poster> on the LAN side, vpnserverA is 192.168.50.10, vpnserverB is 192.168.50.11 09:36 < Poster> on your core switch (or firewall, whatever is your default gateway) you must establish a route to 172.18.5.0/24 (vpnserverA clients) via 192.168.50.10 (vpnserverA LAN address) 09:36 < Poster> likewise you'd need a route to 172.18.6.0/24 (vpnserverB clients) via 192.168.50.11 (vpnserverB LAN address) 09:36 < Poster> so regardless of which path the clients come in, return routing to them is established 09:37 < wallbroken> does openvpn support user; pass; <\auth-user-pass> ? 09:37 < Poster> if you run identical configurations on vpnserverA and vpnserverB, you run into the challenge of knowing which path to send the return traffic 09:37 < adac> Poster, I see, ok! 09:37 < adac> thank you! 09:37 < Poster> np! 10:01 < hiya> WARNING: file '/etc/openvpn/keys/server.key' is group or others accessible 10:01 < hiya> What can I do about it? 10:04 < adac> chmod 600 /etc/openvpn/keys/server.key 10:05 < adac> So the permissions will be lowered and the warning should disappear 10:07 < hiya> adac, but on server ca.crt dh.pem server.crt server.key ta.key 10:07 < hiya> all of them should be chmod 600 only right? 10:07 <@plaisthos> crt can be 644 10:07 <@plaisthos> it is public anyway 10:08 < hiya> dh.pem? 10:08 < hiya> 600? 10:08 < hiya> plaisthos, What verb level won't give us user real IP? 10:08 < hiya> other than 0? I need something :) 10:18 <@plaisthos> hiya: ?! 10:23 < DArqueBishop> hiya: your server is always going to have the user's real IP, unless they're connecting a service like a proxy or TOR. 10:24 < hiya> plaisthos, ok 10:25 < hiya> DArqueBishop, Cannot we modify it to the source level to show a fake IP or common IP for all? like 0.0.5.5 10:27 < DArqueBishop> I suppose it's possible, but as I am an admin and not a developer that's beyond the scope of my abailities. 10:27 < DArqueBishop> Apparently spelling is also outside the scope of my abilities. 10:40 < hiya> DArqueBishop, I know someone who has created a patch that does it 10:44 < DArqueBishop> Honestly, it sounds like such a patch will cause more problems than it creates. 10:45 < DArqueBishop> Especially on a legal front. 10:47 < DArqueBishop> You can have plausible reasons for not logging at all. If you deliberately hide your users' IP addresses in the logs to shield them from law enforcement, I can't see why law enforcement wouldn't then throw the book at you as you're obviously deliberately aiding and abetting what crimes your users are committing. 10:47 < DArqueBishop> (Note: IANAL.) 10:48 < DArqueBishop> I mean, cause more problems than it solves. 10:48 < DArqueBishop> Either aiding or abetting, or deliberately and obviously interfering with a legal investigation. 11:21 <@ecrist> it will be nearly impossible to hide the "real" remote IPs from the OpenVPN. 11:22 <@ecrist> Doing so would require an external device that translates the remote connections to internal "fake" IPs. 11:22 <@ecrist> However, if the admin also has control of that proxy device, what's the point in hiding them anyway? 11:36 < japhar81> hmm.. this is very odd.. I set up a simple site-to-site tunnel.. the gateways on either side can ping each other 11:37 < japhar81> but another box cant seem to ping the far-side gateway thru the near-side one 11:38 < japhar81> anyone know how i might debug this? 11:38 < japhar81> --verb 6 doesnt show traffic 11:39 <@ecrist> what does a traceroute from the "other box" show when you trace to the other gateway? 11:39 < japhar81> nothing, bunch of *'s 11:40 < japhar81> this is in AWS, I did add a route: 172.40.0.0/16 -> near-side GW 11:40 < japhar81> which I can ping 11:42 < japhar81> is there any way to have openvpn show in/out packets from other boxes? I'd like to see if its even getting to the gateway 11:52 < Neighbour> japhar81: check if forwarding is enabled, check if both networks are routable from the other end, and check if there aren't any firewall rules in the way 11:52 < japhar81> oh you know what, im pretty sure i didnt turn on forwarding 11:52 < japhar81> how do i do that? 11:53 < Neighbour> echo 1 > /proc/sys/net/ipv4/ip_forward 11:53 < japhar81> aha that would do it 11:53 < Neighbour> use `cat /proc/sys/net/ipv4/ip_forward` to check its current value 11:54 < japhar81> i gotta rebuild the boxes real quick, i somehow locked myself out 12:27 < japhar81> this is awesome 12:27 < japhar81> for some reason when i install openvpn and reboot, i can no longer connect to the box 12:33 < japhar81> does ifconfig in my openvpn config have to have real IPs? 12:33 < japhar81> i.e. the actual public IPs of my boxes? 12:38 < japhar81> hm, no, thats not it 13:06 < japhar81> hm, ok, so im back to where i was.. i have a route: 172.40.0.0/16 via 172.30.0.242 dev eth0 pointing to .242 (my 'near' gateway) 13:06 < japhar81> but i cant ping the 'far' gateway 13:07 < japhar81> firewalls are down (ufw disable), and the gateways can ping each other 13:07 < japhar81> what else could it be :-/ 13:44 < cwage> do you have to restart or sighup openvpn for it to pick up new/different ccd files? or does it poll for changes to those? 14:23 < Mike--> cwage: will be picked up dynamic 14:30 < cwage> k, thanks 14:56 < Neighbour> japhar81: does the far network have a route to the near network? 14:57 < Neighbour> the vpn endpoints can ping eachother on the tun-ip's 14:57 < japhar81> yep they both have a route to the other 14:57 < japhar81> the tunnel is at 10.0.0.1 - 10.0.0.2 14:57 < japhar81> im pinging the 172.xxx IPs fine 14:57 < Neighbour> you can try playing with the -I option of ping 14:57 < japhar81> and i see routes 14:57 < japhar81> yeah thats where im headed next 14:58 < Neighbour> ping -I 172.30.0.242 172.40.something 15:52 < japhar81> this is awesome, it just sits there 15:52 < japhar81> even -I 15:53 < japhar81> no response, no timeout 15:53 < japhar81> just nothing 15:53 < Rienzilla> Good evening 15:54 < japhar81> Rienzilla: hi 15:54 < Neighbour> japhar81: time to tcpdump stuff and find out what's happening 15:54 < japhar81> Neighbour: show me the way! I've never had to do that 15:56 < japhar81> I'd settle for a way to see if my ping even reaches my near-side GW 15:57 < Neighbour> start pinging something on one console, then do `tcpdump -n icmp` on another 15:57 < Neighbour> and see what goes past (which interface, which source address, which dest address) 15:57 < Neighbour> then dump on the other vpn endpoint as well and see wat happens 15:58 < Neighbour> do you only see icmp requests, or do you see replies as well? 15:58 < japhar81> i see.. neither 15:58 < Neighbour> where do you still see them, where do you miss them? 15:58 < Neighbour> then the ping -I is not producing anything....`tcpdump -n icmp` checks *all* interfaces 15:59 < Neighbour> oh, wait, manpage says to use `tcpdump -n -i any icmp` to capture all interfaces 16:00 < Neighbour> otherwise start multiple captures, one per interface (so -i eth0, -i tun0 etc) 16:00 < Rienzilla> I have a VPS with four public IP addresses. I would like to assign those ip addresses to (virtual) machines living somewhere else, and tunnel the traffic via openvpn. One way would probably be to use a tap interface and put that into a bridge. However I was wondering if I could accomplish the same using a tun configuration, while keeping the vm's convinced their own IP is the public IP on the vps. Is an elegant way to accomplish this using a tun-openvpn 16:01 < japhar81> hm nothing 16:02 < japhar81> let me tcpdump on the actual box sending the pings 16:11 < Neighbour> i'm off to bed...but try tracing the pings and see where they fail to show...then try to figure out why..check src,dst-adresses, routing, firewalling 16:13 < japhar81> its looking like it might be AWS routing 16:13 < japhar81> its going nowhere 16:14 < Neighbour> does the originating box have a route for the ip you're pinging? is that the route you want it to have? :) 16:14 < Neighbour> zzz 17:32 < andre4s> hey guys, i seted up my vpn with a tun device and i am able to connect to any client behind the server. but if i try to establish a conenction to my ssl secured webserver i cant connect to it 17:33 < andre4s> what do i need to establish a ssl connection over a tun openvpn? 17:52 < zoredache> andre4s: There is nothing that should be special about a SSL connection. Does a ping+trace from the client to the server you are trying to connect to succeed? 17:52 < andre4s> zoredache, yes, i can establish a ssh session too 17:54 < zoredache> Well if the box is reachable with other protocols, and you are certain the traffic for the other protocols is crossing the VPN. That almost certainly indicates some kind of firewalling on the server, client or VPN server. 17:54 < zoredache> Usually a quick tcpdump running on the client and server should give you a hint about which side the problem is one. 17:55 < andre4s> zoredache, thank! i will try to check this 18:16 < Rienzilla> ugh 18:16 < Rienzilla> almost there 21:54 < CooloutAC> hello all, i was wondering, would openvpn help me be more secure when connecting to my bank website through a hostile router? 21:54 < CooloutAC> say my homr router is compromised, but I want to connect to my banking site, would connecting first to an openvpn router help? --- Day changed Tue Feb 09 2016 01:07 -!- [Mew2]- is now known as [Mew2] 01:09 -!- ade_b is now known as ade 01:28 < Bogdar> Hi, I'm using OpenVPN with OpenLDAP auth backed. Does it possible to have per-group client configs somehow? Currently I create config for each user... 01:45 < rtur> Hi guys. I'm wondering if there is a difference for servers, the ones I'm connecting through a vpn server, whether I am using tcp or udp to connect to the vpn server ? I'm asking cause for quite some time I wasn't able watch youtube videos or sign in to netflix (the log in page didn't even load) when on vpn, and after a trying all kinds of stuff with my config I also switched from udp to tcp and now 01:45 < rtur> everything works, so it seems like it makes a difference, but it could still be some missconfiguration on my part I think, cause how in the word would it matter for the server.. 02:30 < karstenk> good morning 02:31 < karstenk> Is it possible to make a simple Peer Connection with OpenVPN to a fortigate? 03:21 < dorp> Hello, I was wondering if the following route table seems correct? http://sprunge.us/XPCW 03:23 < dorp> I'm running the client from Windows 10, it seems to initialize successfully, but it would still route everything through my wifi 03:25 < dorp> The client conf is the 'sample' conf file, with the 'remote' directive changed to my server's ip 03:30 < adac> Is this setting correct for the ip range on the server? "server 172.18.5.0 255.255.255.0" 03:31 < adac> Sorry I do not know that much about networks yet 03:32 < Sypher|IT> !welcome 03:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:33 < Sypher|IT> !configs 03:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 03:34 < Sypher|IT> Hey guys, i'm basically trying to use an openvpn via tcp port 443 ... everything's ok at the moment, pretty basic config, the only thing is i can't pass the gateway to the client. Supposedly it should be working, but ... it isnt. 03:34 < Sypher|IT> Debian on the server with latest package installed and tunnelblick on the OSX client. 03:35 < dorp> !route 03:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 03:37 < Sypher|IT> configs: http://pastebin.com/Kx1fgV63 03:37 < Sypher|IT> dorp, that for me? 03:37 < dorp> Sypher|IT: Nope 03:40 < dorp> !howto 03:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 03:48 <@plaisthos> Sypher|IT: the ip parameter for redirect-gateway is wrong 03:49 <@plaisthos> you probably want def1 instead 03:49 <@plaisthos> !def1 03:49 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 03:49 < Sypher|IT> plaisthos, yeah, was doing that before 03:49 < Sypher|IT> but no joy either. anyway, now i'm forcing all traffic through the vpn by setting in tunnelblick, so should be ok ... 03:49 < Sypher|IT> if i put 'pull' or 'client' directives in the client config file openvpn simply won't start, but i guess thats system related 03:54 <@plaisthos> Sypher|IT: without pull or client the push settings cannot work 03:55 < Sypher|IT> yeah, thats why i'm forcing it through the tunnelblick options 03:55 < Sypher|IT> guess that's solved, now on to do snat ^_^ 07:13 < mebus> Hi! My VPN tunnel does not seem to forward ipv6 packages. why? 07:21 <@ecrist> good morning. 07:22 < Rienzilla> joy 07:22 < Rienzilla> tun + proxyarp instead of tap with ebtables magic :) 08:15 -!- excalibr- is now known as excalibr 08:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 09:06 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 09:06 -!- mode/#openvpn [+o mattock] by ChanServ 09:09 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 09:09 -!- mode/#openvpn [+o mattock1] by ChanServ 10:26 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:26 -!- mode/#openvpn [+o mattock_] by ChanServ 12:11 < PhSnake> good evening 12:25 < PhSnake> anyone willing to help me with routing table in widows?please 12:28 < zoredache> just ask your question. 12:42 < PhSnake> zoredache: I want use openvpn only for ip from range 192.168.1.0/24; openvpn server assigns to windows client IP 192.168.2.6 12:42 <@Eugene> !/30 12:42 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 12:42 <@Eugene> !topology 12:42 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 12:42 <@Eugene> PhSnake ^ 12:42 < PhSnake> from logfile and route print i see that gateway is 192.168.2.5 12:43 < PhSnake> and subnet i'm connecting is 192.168.1.0/24 12:43 < PhSnake> i can reach all devices in 192.168.1.0/24 network 12:44 < PhSnake> but it makes mess withiin our corporate network 12:44 <@Eugene> Read the links from the bot 13:41 < PhSnake> is there any way how to remove certain routes upon connection to VPN? 13:42 < PhSnake> it automaticaly adds some routes I dont want... 13:42 < PhSnake> I mean automatical 13:42 < PhSnake> or instruct to not add routes at all, and add them manually 13:43 < zoredache> what routes? You could do a push-reset in your ccd maybe, and then add only the stuff you want. 13:46 < zoredache> If you are on the client side you might be able to do something like `--iproute echo` or something? 13:46 < zoredache> ie redefine the route command to just be 'echo' 13:47 < zoredache> there is also the route-nopull or route-noexec route-up options. See the docs to see if any of these will work for you. 14:22 < Rienzilla> joy 14:29 < jb21> been google'ing looking for an explanation as to why an ubuntu openvpn client hangs/fails at "TLS: Initial packet from" -- but CentOS box happily connectes. Same .ovpn file 14:29 < Neighbour> firewall? 14:30 < jb21> nothing on the ubuntu box -- and firewall in front of it has a "any any allow" outbound 14:30 < Neighbour> if you're using udp, check incoming as well 14:31 < jb21> really? return traffic i would expect to be associated with the session (stateful) 14:31 < jb21> one thing i noticed in the output from the centos client that was not present from the ubuntu client was the line "library versions: OpenSSL XXXXXX" 14:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds] 14:52 < onto> Hi! I am trying to connect to a vpn server under Ubuntu 14.04 but I get the following error: "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 14:52 < onto> TLS Error: TLS handshake failed 14:52 < onto> SIGUSR1[soft,tls-error] received, process restarting 14:52 < onto> And it doesn't create a tun0 interface 14:55 < jb21> same here 14:55 < jb21> have you done a packet capture? 14:56 < onto> jb21: No 14:57 < jb21> i have same client platform (ubuntu 14.04) and same error; i have a centos client that works just fine. same .ovpn file 14:58 < onto> I haven't tried it on a different platform 15:55 < jb21> dang... just a bit too late 15:56 < jb21> was going to tell onto that i compiled 2.3.10 and success 17:09 < jafa> hi guys, I am a big fan of OpenVPN - use it for all our frontend to backend communication. Now I need to figure out an approach for getting cloud VMs taking to each other... wondering if anyone had a recommendation for a mesh vpn solution 17:38 < TheUnknownModder> Can VPN providers be discussed here? 18:09 -!- r[A]donx is now known as radonx 18:25 < mebus> How can I start multiple instances of openvpn in debian with init.d ? 18:25 < mebus> putting multiple configs in /etc/openvpn/ doesn't work. 18:27 < zoredache> doesn't work why? What happens when you try to start the service? 18:28 < TheUnknownModder> !ovpnuke 18:28 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 18:28 < mebus> zoredache: it only start client.conf 18:28 < zoredache> Are you sure you two vpn configs don't have any conflicting routing configurations? Are you specifying the same tun device in both configs? 18:29 < mebus> zoredache: they run if I start them individually 18:29 < zoredache> which strongly indicates you have somethign conflicting between the two configs. 18:30 < zoredache> you could paste them somewhere. 18:32 < mebus> zoredache: later 18:53 < rigel> so i generated all my keys for server and clients on machine A. machine B will be used as the server, so it needs the files: ca.crt, dh2048.pem, server.crt, and server.key, izzat right? 18:54 < rigel> and client C will need clientC.crt, clientC.key, and ca.crt? --- Day changed Wed Feb 10 2016 01:14 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:14 -!- mode/#openvpn [+o mattock1] by ChanServ 01:39 < volkova> Hello 01:40 < volkova> I'd like to ask a question. When I connect to a paid OpenVPN server from my OS X client the internet works but I cannot connect to the internal wireless devices. Is this intended functionality? 01:42 < volkova> I have printed the routing table and there is a route just above the default one which uses VPN IP, so that I suppose the server has "push "redirect-gateway def1"" option. May it be the cause? 01:43 < volkova> The server is thirdparty and I will not be able to change its configuration 02:30 < Nazara> hi all, I'm trying to set up a openvpn tunnel through a NAT 02:30 < Nazara> I have a VPS as a server, and my router (behing the NAT) connects to it 02:30 < Nazara> the server works fine as a general vpn server 02:30 < Nazara> I can connect with my laptop and router and all traffic flows through it 02:30 < Nazara> but I can't seem to route packets back behind the router 02:31 < Nazara> (I can ping the router's tun0 ip, but nothing else) 02:31 < Nazara> I have forwarding enabled, the router works otherwise too 02:32 < Nazara> I'm trying to "ip route add 10.1/16[my home subnet] via 10.8.0.10[router's tun0] dev tun0" but that returns "No such process" 02:33 < Nazara> and if I do "ip r a 10.1/16 via 10.8.0.2 [the tunnel to the router] dev tun0", it works but I can't ping 10.1/16 03:15 < adac> Poster, hi! I'd have some addional questions to your example: https://gist.github.com/anonymous/1ac1f189958dab92d0f8 (Remember the 'pseudo' cluster we discussed) 03:15 <@vpnHelper> Title: gist:1ac1f189958dab92d0f8 · GitHub (at gist.github.com) 03:19 < adac> just let me know if you have time or later. Would be awesome if I could ask you some more :) 04:07 < Nazara> Next question, can I have a ccd that applies when no other one is found? 04:27 < ju1c3d> Hi guys and girls, I have the a question...When my openvpn client wants to reconnect, it can only reconnect to the same server, not to a different server in the pool, probably due to some key exchanges or something...does this sound familiar to anyone? What is actually the cause for this? And...Is there a possiblity to work around this? 04:28 < ju1c3d> I'm using and like to keep using preserve-tun btw...which is probably also a cause of this problem...(routing) 04:35 < Adie> !welcome 04:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 04:35 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:35 < Adie> !goal 04:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 04:41 < Adie> I am on freeBSD and I am trying to set my openvpn_configfile within rc.conf 04:41 < Adie> My config filename has whitespace and is unable to be read even when I backspace escape it. 04:43 < Adie> openvpn_configfile="/usr/local/etc/openvpn/Home\ Office.ovpn" | WARNING: /usr/local/etc/openvpn/Home\ is not readable. 04:43 < Adie> I wasn't sure if this is a freeBSD issue, or an openVPN script issue, so I'm asking here :) 04:48 < adac> having this IP range: 172.18.5.* wondering how can I increase that range so I can use more the 255 Ip adresses? 04:50 < ju1c3d> adac: play with subnet masks 04:50 < Adie> a subnet mask of 255.255.254.0 would give you 172.18.4.1 - 172.18.5.254 04:51 < Adie> applied on 172.18.5.1 04:51 < adac> Ok thanks! Jees I need to get into networking more :) 04:51 < adac> thanks! 04:51 < ju1c3d> adac: http://www.subnet-calculator.com/ 04:51 <@vpnHelper> Title: Online IP Subnet Calculator (at www.subnet-calculator.com) 04:52 < adac> aswesome thanks! 04:52 < adac> *awesome 05:46 -!- radonx is now known as r[A]donx 05:53 < adac> Is this the shortest interval I can set for reconnect? "keepalive 1 2" 07:08 < adac> In the server config, can I somewhere set which IP can access another? 07:17 <@plaisthos> no 07:17 <@plaisthos> !peer-to-peer 07:17 <@plaisthos> !client-to-client 07:17 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 07:17 <@vpnHelper> other clients 08:48 < Mpowend> hi 08:48 < Mpowend> can anyone send me a link to openvpn client? 08:49 < Mpowend> my country has blocked openvpn.net 08:50 < Neighbour> https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I602-x86_64.exe 08:54 < Mpowend> @Neighbour thank you 11:01 < ju1c3d> did someone ever played with the route "net_gateway" directive? I noticed this works differently when pushed from the server or when done in the client config... 11:07 < ju1c3d> oh ah, just figured out i need to add route-delay to get the outcome i was expecting 12:10 < gregor3005> Whats the current best-practice (highest security) tls-cipher in openvpn? I have only latest openvpn clients 12:13 -!- jhayden_ is now known as jhayden 12:15 < gregor3005> this one? TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 12:39 <@ecrist> !ecdh 12:39 <@ecrist> !ecdsa 12:56 -!- jhayden_ is now known as jhayden 13:03 -!- dazo is now known as dazo_afk 13:09 -!- jhayden_ is now known as jhayden 13:32 < dorp> I'm using a vpn tunnel to my server, for the purpose of acting as a proxy for specific programs, for that I run a socks server (on the same server). On my client- I connect the vpn tunnel, and then I connect to the socks server. The socks server seems to see my 'real' dynamic IP, I was wondering if it's possible to make the connections that pass through the tunnel, to have a local IP? (for the purpose of allowing a static IP to access 13:32 < dorp> the socks server) 13:37 -!- jhayden_ is now known as jhayden 14:27 < jonfatino> So I have ubuntu 14.04 and openvpn setup and all traffic forwarded to the openvpn server 14:28 < jonfatino> that openvpn server has a 2ed nic with a private network on it that I am trying to access the 10.153.28.0 255.255.252.0 network 14:28 < jonfatino> What options do I put in the server or client config to push these routes ? 14:28 < Poster> dorp: make sure to use the IP address within the OpenVPN link and not the public IP of the OpenVPN server. A direct (non VPN) connection must be made in order to carry the OpenVPN transport, anything you wish to encrypt should use the internal to the VPN addresses. 14:32 < Poster> jonfatino: if you're routing all traffic, 10.153.28.0/24 should be included, you may need to establish return routing to your OpenVPN client IP range by way of the IP address of your OpenVPN server on 10.153.28.0/24 14:33 < Poster> for example, if your OpenVPN server is 10.53.28.10 and your OpenVPN client pool is 172.18.5.0/24, on your default gateway (core switch, firewall, etc) you would add a route to 172.18.5.0/24 (VPN client pool) via 10.153.28.10 (OpenVPN server LAN address) 14:36 < dorp> Poster: Thanks a lot for the hint, it seems to solve my issue 14:38 < jonfatino> Poster: so my ubuntu server has a public ip on eth0 and a private ip on eth1 10.153.31.252 14:39 -!- dazo_afk is now known as dazo 14:40 < jonfatino> So I need to add a route for 10.153.28.1/22 to 10.8.0.1 ? 14:52 < Poster> jonfatino: if you're routing all traffic through the OpenVPN link, 10.153.28.0/24 is included 14:53 < Poster> I am suggesting you add a return route from the 10.153.28.0/24 to your OpenVPN IP range (10.8.0.x?) via the LAN interface of your OpenVPN server 15:22 < jonfatino> Poster: how would I do that? How do I add a return route from 10.153.28.0/22 to the openvpn ip range 10.8.0.0 15:28 < Neighbour> on the defaut gateway of the 10.153.28.0/22 network, add a route for 10.8.0.0/16 to the ip of the openvpn client 15:40 < jonfatino> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o em2 -j MASQUERADE 15:40 < jonfatino> I did that and also have push "route 10.153.28.0 255.255.252.0" 15:40 < jonfatino> in server.conf 15:52 -!- Netsplit *.net <-> *.split quits: @syzzer 15:52 -!- IamError_ is now known as IamError 15:52 -!- joako_ is now known as joako 15:53 -!- Fusl_ is now known as Fusl 16:04 -!- dazo is now known as dazo_afk 16:24 -!- lxusrbin_ is now known as lxusrbin 16:26 -!- Eagleman7 is now known as Eagleman 16:54 -!- dazo_afk is now known as dazo 17:07 -!- hays_ is now known as hays 17:14 < Rienzilla> Hello there. I somehow created a funky routing loop, which I don't understand: http://pastebin.com/2prnq6FK 17:26 < Rienzilla> ah, never mind. I think I solved it 18:00 <@Eugene> !next 18:00 <@Eugene> !beer 18:00 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 18:00 <@Eugene> Good enough. 19:03 -!- dazo is now known as dazo_afk 19:12 < cj> hey folks 19:12 < cj> is there yet a way to have OpenVPN prompt the user for credentials on something other than STDIN? 19:28 <@Eugene> cj - the various GUIs should pop-up a prompt 19:39 < cj> yeah, I just found --management again... I did not add my config to network-manager, though. I would like to figure out how to get something like gnome-keyring to prompt me without having to enter all that stuff. 19:39 < cj> I want to ease our operations team's job of pushing new configs out 23:58 < k2gremlin> Anyone around that can assist with site-to-site connection? Client can ping entire server LAN, but server cannot ping client LAN --- Day changed Thu Feb 11 2016 00:07 < gbons> !welcome 00:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 03:09 -!- mode/#openvpn [+o syzzer] by ChanServ 03:12 < Filystyn> i need help 03:13 < Filystyn> i want to use openvpn 03:13 < Filystyn> exampels are hidden 03:13 < Filystyn> im lost 03:13 < Filystyn> ANYONE?! 03:15 < Filystyn> HELP neede 03:15 < Filystyn> d 03:21 <@plaisthos> !tutorial 03:21 <@plaisthos> !welcome 03:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:21 <@plaisthos> !howto 03:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 03:27 -!- dazo_afk is now known as dazo 03:48 <@dazo> ecrist: certificate expired on your secure-computing box 03:48 <@dazo> The certificate expired on 08/02/16 00:59 07:32 -!- PowerKiller2 is now known as PokeGuy 07:57 * ecrist grumbles 07:57 <@ecrist> I suppose I'll fix it. You're the second person to tell me so 08:19 <@ecrist> dazo: my cert is updated 08:23 <@ecrist> !ssl-admin 08:23 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 08:27 <@dazo> ecrist: Firefox was rather strict on me, as you have HTST enabled ... so I didn't allow me to connect at all :) 08:27 <@ecrist> yeah, I ran into the same issue, but it's a good thing 08:27 <@ecrist> slightly obnoxious, but the desired result 08:28 <@dazo> ecrist: agreed! btw ... I've been playing around with Lets Encrypt ... found another more sane script than the official ones ... about to try to fully automate a site soonish 08:29 <@dazo> https://github.com/diafygi/acme-tiny 08:29 <@vpnHelper> Title: GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Lets Encrypt (at github.com) 08:30 <@ecrist> I don't use Let's Encrypt 08:30 <@ecrist> it's still too much of a fad for my liking 08:31 <@dazo> :) 08:31 <@dazo> I think Let's Encrypt have merits, still early in the process ... but the open ACME protocol and more and simpler clients makes it worth exploring I think 08:32 <@ecrist> indeed 08:32 <@dazo> Especially when you can automate the whole certificate issuance 08:32 <@dazo> I don't like the official client though, as it requires to run as root and have full access to private keys 08:32 <@dazo> acme-tiny is far simpler in that regard 08:33 <@plaisthos> the official client really sucks 08:51 -!- jhayden_ is now known as jhayden 09:25 < cnf> what would cause packets going in on one side of the tunnel not to come out on the other side? but not for all destinations. 09:27 < cnf> does client-server limit the source ips you can use? 10:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 10:08 -!- mattock_ is now known as mattock 10:23 -!- jhayden_ is now known as jhayden 10:33 -!- jhayden_ is now known as jhayden 10:47 < bitwise404> Hi! I hope that someone can hel me. I mistakenly deleted all the keys and certs from my openvpn server. The server is still running and still accepting clients but I'm scared it won't work anymore if I reboot. It is possible to recover my keys and certs somehow? 10:52 < debdog> bitwise404: recover them from your backup 10:53 < debdog> or, if you're very lucky, extundelete might be an option 10:54 < bitwise404> debdog: I wish I was that smart 10:55 < bitwise404> debdog: It's a vps, I don't think extundelete can help me 10:56 <@ecrist> bitwise404: without your server cert and key, and your CA cert, you're out of luck 10:59 < bitwise404> ecrist: I was hoping to dump them from memory somehow 11:05 < debdog> from my POV that'd be a security issue 11:12 <@ecrist> bitwise404: backups are easier. If you're not capable of managing backups, I'm guessing extracting crypto keys from memory is out of your wheel house 11:19 <@Eugene> If you're really lucky, it'll be in /proc//fd/N 11:19 <@Eugene> http://archive09.linux.com/feature/58142 11:19 <@vpnHelper> Title: Linux.com :: Bring back deleted files with lsof (at archive09.linux.com) 11:20 <@Eugene> It's important that you don't restart openvpn 11:20 <@Eugene> And, as has been beaten to death, go get yourself some Backups 11:23 < debdog> that's a neat method 11:26 <@ecrist> that will recover his server certs, we hope, but it will not bring back all his client certs, which are likely not being held open by any process 11:37 -!- themayor_ is now known as themayor 11:50 < caliculk> I know this is #openvpn and not #tunnelblick, but as a system administrator, does anyone know if an IRC Support channel exists for tunnelblick? I would like to use the latest version to create a configuration file that is accessible by all users, however, I need it to use each user's own .p12 certificate, and I can't have it store the administrators certificate (in this situation mine). 12:09 <@ecrist> can you elaborate futher? 12:10 <@ecrist> I'm not quite groking what you need 12:38 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 12:38 -!- mode/#openvpn [+o krzee] by ChanServ 13:06 <@ecrist> he's alive 13:52 <@krzee> \o/ 13:52 <@krzee> just got to cali from argentina 13:52 < _FBi> jesus blood. I've missed you 14:07 <@Eugene> Pics 14:08 < _FBi> Eugene, you miseed him -- he's in Thailand now haha 14:08 <@Eugene> My request stands 14:09 < _FBi> lol 15:13 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:51 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 16:14 < jrg> there aren't any clients for windows phone 10 right? 16:14 < jrg> i've been looking around but don't seem to see anything related to openvpn on wp10 16:24 < blistov> has anyone ever noticed, with older implementations of openvpn, that when it checks certificate startdate, it won't convert from the local time zone? 16:25 < blistov> eg: I generate a p12 at 10:30 MST, and deploy the config/cert to a client in CST which should be one hour ahead, but it cannot connect for 4-5 hours due to cert not yet being valid. 16:26 < blistov> Same config/cert on a newer machine with a current version of openvpn, no problem. Connects immediately. 16:32 < Neighbour> I suppose someone fixed it in the meantime then :) 16:33 < blistov> I'm just trying to verify that's what's going on. 16:34 < blistov> And if so, figure out a large scale work around unless I can figure out a way to trick the devs into cross compiling a newer version of openvpn. 16:40 < zoredache> Are your certs that new or close to expiration where it matters? Can you just issue certs with an earlier startdate? 16:42 < blistov> Creating certs from PFsense, which doesn't give you the option to set a startdate :| 16:46 < zoredache> And I suppose generating your your certs ~12 hours before you need them isn't an option. Anyway. I have no idea about timezones. 17:39 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 17:39 -!- mode/#openvpn [+o krzee] by ChanServ 17:55 -!- dazo is now known as dazo_afk 17:55 < djiboutiii> Is it possible to run an openvpn server on port 1194 and a client connection (on the same computer) on port 1195... and then remotely connect to the openvpn server? I'm finding that any time the client connection is enabled, I am not able to remotely open a vpn connection to my server on 1194 17:56 <@krzee> of course you can 17:56 <@krzee> your problem is probably that your vpn client is using redirect-gateway 17:57 < djiboutiii> I think you're correct 17:57 <@krzee> which causes your responses to the traffic hitting the server process to be sent out the server it connects to 17:57 <@krzee> !splitroute 17:57 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 17:57 < djiboutiii> That's great, thank you so much! 17:57 <@krzee> you're welcome =] 17:58 < djiboutiii> wow, so rarely does a help post exactly explain my situation 17:58 < djiboutiii> but that's it 17:58 <@krzee> !factoids 17:58 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 17:59 <@krzee> like 90% of openvpn problems are on that bot 17:59 <@krzee> !botsnack 17:59 <@vpnHelper> "botsnack" is Om nom nom! 18:09 < djiboutiii> Thanks again krzee. Worked perfectly. I'm now able to get into my server from work :) 18:09 <@krzee> glad it helped! 18:09 < djiboutiii> and maintain my existing client connection 19:17 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 19:58 < k2gremlin> Hello all, I switched sides on my site-to-site vpn connection. The client turned server is having a slight problem. When I run either "/etc/init.d/openvpn start" or "service openvpn start" it does not start the openvpn process. Only way I can get the server to launch is "openvpn --config server.conf" 19:59 < k2gremlin> previously I ran apt-get remove openvpn and apt-get purge openvpn. Followed by apt-get install openvpn with a fresh install 19:59 < k2gremlin> any ideas? 20:32 -!- excalibr- is now known as excalibr --- Day changed Fri Feb 12 2016 00:52 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 00:52 -!- mode/#openvpn [+o mattock1] by ChanServ 01:06 < omgs> k2gremlin: take a look at /etc/default/openvpn 01:14 < tpanarch1st> hello :-) I'm struggling to install a certificate on my iPhone, I need to prepare the OpenVPN configuration file and copy the contents of the certificate but i'm not sure how to actually get the details out of it 01:50 -!- D-HUND is now known as debdog 01:50 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 01:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 01:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:51 -!- mode/#openvpn [+o mattock1] by ChanServ 01:52 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Client Quit] 01:54 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:54 -!- mode/#openvpn [+o mattock] by ChanServ 01:58 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:58 -!- mode/#openvpn [+o mattock_] by ChanServ 04:10 -!- dazo_afk is now known as dazo 04:52 < telenieko> Hi. Is there something I should be concerned about when using a 2.1 client with a 2.3 server? I can't get them to talk, but I see nothing in docs about compatibility issues :( 06:34 < natarej> join #ceph 10:34 < k2gremlin> Hello all, site-to-site openvpn connection setup. Both LANs can ping each other. Server is CentOS bos and client is an AC66R router. PC on Server LAN can access a website on Client LAN. However, server side PC cannot SSH into that same Webserver. Thoughts? 10:35 < _FBi> firewall? 10:35 <@dazo> !serverlan 10:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:35 <@dazo> !clientlan 10:35 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 10:35 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 10:37 < k2gremlin> _FBi, Prior to setting up the OpenVPN, the AC66R had a forward for 8822 to 22 webser IP. I could access it from WAN. I still can with the WAN IP. But I can ping 192.168.1.13. I can web to it. But I cant SSH to it 10:38 < k2gremlin> dazo, I have all the forwarding turned on. Both sides can ping and access websites and such. Just SHH is failing for some reason 10:38 < k2gremlin> SSH * sorry 10:39 <@dazo> k2gremlin: that is a firewall issue ... either on your VPN server and client or the box you try to ssh into ... try to use tcpdump to see what happens over the VPN tunnel ... and if you see traffic going in at least one direction, check the LAN side where it supposed to go next 10:44 < k2gremlin> dazo, this is really strange. When I web to 192.168.1.13 I see traffic over the tun0 interface fine on the server side of the VPN connection. SSH I see it on the ETH interface of the server... but it never hits the tun interface. 10:45 < ohsnap> hey, sorry im a total noob. so uh i set up openvpn with 2fa using local accounts on the unix server for authentication 10:45 < ohsnap> i needed to revoke someones vpn access but instead of doing the revoke-full command i removed their user account and deleted their keyfiles 10:45 < ohsnap> so now i cant do a revoke-full 10:45 < ohsnap> haha 10:46 < ohsnap> anyway, that should be 'good enough' right? since their local account doesnt exist anymore they wont be able to authenticate, is it really a big issue? 10:47 < k2gremlin> what about re-making the account and then revoking? 10:49 < DArqueBishop> k2gremlin: it's not the account that's the issue. It's the deletion of the keyfiles. 10:50 < DArqueBishop> ohsnap: as you're doing 2fa I would imagine it's not a big deal, as anyone trying to use those certs would still need to authenticate using valid local credentials to log in. 10:51 < ohsnap> DArqueBishop: yeah that is what i figured 10:51 < ohsnap> k2gremlin: well the issue is i deleted all 3 files, the crt, key, whatever else 10:51 < ohsnap> so when i try to run the revoke-full command it just says 'uh that shit doesnt exist' 10:51 < k2gremlin> lmfao 10:51 < k2gremlin> Well if the keys and user are gone.. should be fine? 10:52 < ohsnap> yeah i think so, im just a noob to openvpn so i didnt know if what i did was really bad 10:52 < ohsnap> not really sure how that shit is stored etc. no idea wtf a pem file is. etc 10:53 < k2gremlin> I am RIGHT there with you 10:53 < k2gremlin> Me and a friend have home labs.. that were trying to get working together.. 10:53 < k2gremlin> its been a nightmare! 10:53 < ohsnap> doing a site to site vpn? i havent done that yet with openvpn 10:53 < ohsnap> this is just for remote access atm 10:55 <@dazo> ohsnap: there is a big flaw in most "how to set up your OpenVPN CA" guides on the Interwebs .... the OpenVPN server needs 4 files to function: server.key, serer.crt, ca.crt and dh*.pem ... and an optional 5th file for revoked certificates (the CRL file) 10:55 < k2gremlin> Yea well I have 100 new grey hairs because of it... lol 10:55 < k2gremlin> dazo, what about the ta.key? 10:55 <@dazo> So deleting .key, .csr and/or .crt won't change anything 10:56 < k2gremlin> dazo, what if he re-generated his ca? 10:56 <@dazo> k2gremlin: ta.key is also optional, but yes, you are right ... but that isn't directly tied to the PKI side 10:56 < k2gremlin> then it would be a mis-match and the client would fail to connect? 10:56 <@dazo> k2gremlin: and you would need to issue brand new certificates to all other (valid) clients 10:57 < k2gremlin> dazo, depending on how many clients he has.. could be a pain lol 10:57 < k2gremlin> but your right 10:57 < k2gremlin> ohsnap, did someone get fired? lol 10:59 <@dazo> k2gremlin: regarding your ssh issue ... so you have a firewall issue related on the OpenVPN box closest to your SSH server 10:59 < ohsnap> k2gremlin: yeah my coworker just did :| 11:00 < k2gremlin> dazo, firther testing... from the OpenVPN server.. I can SSH to 192.168.1.13 and I see traffic on the tun interface. But a client on the Server LAN cannot. 11:01 < k2gremlin> further* 11:01 <@dazo> Okay, I'm confused ... the ssh server is on which lan? 11:01 < k2gremlin> the SSH that I am trying to connect to is on the Client LAN 11:02 < k2gremlin> Ovpn Server can SSH into it. Weird part is, on the tcpdump, the source IP is my WAN IP and not the tun IP or Server LAN Ip. 11:02 < k2gremlin> traceroute from Openvpn server to 192.168.1.13 shows it hops over the tun 11:04 < k2gremlin> disregard the last.. it's sourcing the hostname 11:04 < k2gremlin> which is fine 11:11 < k2gremlin> dazo, you ever use join.me? I can show you whats going on 11:12 < DArqueBishop> k2gremlin: you say you can hit other ports on the client LAN server from the server LAN, but just not the SSH one? 11:12 < k2gremlin> DArqueBishop, Correct. I can hit port 80 for example and pull a webpage from my PC to his webserver. 11:12 < k2gremlin> I cannot SSH directly from PC to that same webserver. 11:13 < k2gremlin> DArqueBishop, I can however, SSH into that webserver from my Ovpn Server machine. 11:13 < k2gremlin> And I see traffic on the tun interface as I should. But when I try to connect from my PC, I see traffic on the Ovpn Server ETH interface, but not on the tun interface. 11:18 < tpanarch1st> Hello, i'm having some difficulties setting up VPN on my iPhone 5S (Latest iOS). I have been following this guide - http://blog.remibergsma.com/2013/03/13/secure-browsing-on-ios-iphoneipad-using-openvpn-and-the-raspberry-pi/ I am stuck on the section "Preparing and importing the OpenVPN configuration file" (I am not using a raspberry pi just for Info) - I have googled and I am struggling to get the cert text I need to create the file tha 11:18 < tpanarch1st> t the tutorial instructs me to create. The VPN is OpenVPN and EasyRSA. I have created a PK12 key :-) 11:20 < DArqueBishop> tpanarch1st: I could be mistaken (others could correct me), but if you generated a PK12 file to go into your iDevice's keyvhain, then it should have both the cert and the key. 11:21 < tpanarch1st> DArqueBishop: hello :) the link above is to the tutorial I am following, it states that I should create a configuration file with the cert details in it, apparently iOS strips it :) 11:21 < k2gremlin> tpanarch1st, you can embed the certs in an XML style. 11:21 < DArqueBishop> To be fair, tutorials are usually crap. 11:22 < tpanarch1st> k2gremlin: i'm not sure where to start, is it actually the PK12 file that I need to "open" 11:22 < tpanarch1st> tried doing it with cat - clearly I was wrong, encoding wouldn't work that way :-D 11:22 < DArqueBishop> tpanarch1st: the cert it asks to put into the config file is the ca.crt file. You can always just add that in separately with the config file. 11:23 <@dazo> !clientlan 11:23 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 11:23 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 11:23 < tpanarch1st> DArqueBishop: are you confident that if I deviate from the tutorial on just that bit and follow the rest that I will be OK :) 11:23 <@dazo> k2gremlin: I believe your solution is here ^^^ 11:24 < DArqueBishop> On my own iDevices, instead of including the ca.crt file contents inline with , I used "ca ca.crt" and uploaded the ca.crt file with the config file. 11:25 < tpanarch1st> DArqueBishop: oh brilliant, atm, I have created a cert, SCP'd the PK12, Emailed it and installed it on my iPhone, then i've downloaded the OpenVPN application - is that correct so far? 11:25 < ohsnap> thanks again all, be well 11:33 <@dazo> tpanarch1st: you can also inline pkcs12 files in config files too ... base64 encode the pkcs12 file and put it inside ... 11:34 < tpanarch1st> oh my Lord dazo never done anything like that before :) 11:34 < DArqueBishop> dazo: the advantage to how he and I did it is that if it's in the keychain, it's more secure than if it's in he config file. 11:34 <@dazo> fair enough 11:35 < tpanarch1st> oh DArqueBishop I might not be doing it that way am I, I was going to just copy and paste :) 11:35 < tpanarch1st> as per the tutorial 11:35 <@dazo> I dunno on iOS ... but I believe "OpenVPN for Android" imports certs from the config file into the local key storage though ... right, plaisthos? 11:36 < DArqueBishop> I don't think iOS does that. 11:37 < tpanarch1st> DArqueBishop: so can I just deviate on that particular small section of the tutorial and can the rest be followed? 11:37 < tpanarch1st> because I can scp the crt file sure - and I guess that will open as easy as "pi" ;-p ? 11:37 < DArqueBishop> tpanarch1st: essentially, there are two certs: the ca.crt file and the p12 file. Both are needed to connect to the server. 11:37 <@dazo> I don't even know if OpenVPN Connect on Android (the official OpenVPN Tech client, close source) does it - which carries much of the same code base as the iOS OpenVPN Connect code base (closed source due to Apple's requirements) 11:38 <@dazo> While "OpenVPN for Android" is true open source, and developed by plaisthos 11:38 <@dazo> so the latter one is the community preferred Android version 11:38 < tpanarch1st> :-D 11:38 < tpanarch1st> DArqueBishop: I appreciate your plain English approach :) 11:39 < tpanarch1st> I understand you to dazo! 11:39 <@dazo> DArqueBishop: but the .p12 file can contain ca.crt (including intermediate CAs) and client cert+key 11:39 <@dazo> the only thing which can't be put into it is the ta.key 11:40 < DArqueBishop> dazo: good point. 11:40 < DArqueBishop> It's been a while since I've needed to generate a p12 file. 11:41 <@dazo> I've generally found .p12 files easier to handle when it comes to updating clients ... but I deployed that in production before I realized the inline pkcs12 feature :) 11:41 <@dazo> And .p12 files does the CA cert chaining correctly out-of-the-box, which is far harder to get right with separate ca/client certs 11:51 < tpanarch1st> ahhh between you both, because i'm really new i'm scared to deviate by a letter from the tutorial, how do you both think I should move forward please - I struggle with technical documents as that's when my Dyslexia plays havoc with me 11:51 < tpanarch1st> sorry dazo DArqueBishop (Didn't tag you) 11:53 < DArqueBishop> tpanarch1st: I'm a firm believer in knowing as much as you can before going forward. 11:54 < DArqueBishop> I would recommend reading the HOWTO and OpenVPN Connect FAQ as well. 11:54 < DArqueBishop> !howto 11:54 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:54 < DArqueBishop> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 11:54 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net) 11:55 < tpanarch1st> i've been here before - I couldn't make head nor tail of it! 11:55 < tpanarch1st> I just realised i'd need to learn how to do the tasks and then make my own notes 11:56 < tpanarch1st> piece by piece 12:00 < Jakey3> Hi, after following https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04. I dont seem to have created the .ovpn file 12:01 < Jakey3> at which point in the procedure is the .ovpn file created 12:01 < Jakey3> ? 12:01 <@Eugene> !ovpn 12:01 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf, just renamed to allow Windows to associate it with the openvpn program 12:01 <@Eugene> If you read that post closer, it specifically says " In the copy process, we are changing the name of the example file from client.conf to client.ovpn because the .ovpn file extension is what the clients will expect to use." 12:01 < Jakey3> ah thanks 12:02 < Jakey3> correct missed that 12:02 * dazo dislikes the digialocean.com OpenVPN guides immensely 12:03 < Jakey3> dazo, why? 12:03 <@dazo> digitalocean guide leeds you into a potential security trap ... placing the CA files on the server 12:03 <@Eugene> Meh. It's mostly correct, but it is indeed not the official howto 12:04 <@dazo> Jakey3: the easy-rsa stuff should really never ever be on a publicly available computer on the internet 12:04 <@Eugene> If you're paranoid about that sort of thing 12:04 <@dazo> Yeah, I am ... if you loose control of you CA key ... you can't trust the CA .... and how do you trace if somebody copied out your CA key file? 12:05 <@Eugene> If you've got just one openvpn server(most people do), the point is moot 12:06 <@Eugene> Single point of failure/compromise and all that jazz 12:06 <@dazo> so you trust the VPSes to keep your data safe? 12:06 * dazo don't 12:06 <@Eugene> Nope, but I trust them exactly as much with my crypto keys as with the rest of the data 12:07 <@Eugene> If you've got root on my server then I've already lost, so why fight the battle over a key that's only used on that server? 12:07 < Jakey3> can someone recommend i client gui for openvpn on ubuntu 12:07 < Jakey3> ? 12:07 <@Eugene> My experience is that the openvpn CA is only used for that one openvpn server.... obviously if you've got a more involved CA then you'll want to keep better care of it 12:07 <@Eugene> !ubuntu 12:07 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it. 12:08 < Jakey3> haha, ok 12:08 <@Eugene> NetworkManager is the traditional answer.... as well as being utter shite. 12:08 <@Eugene> I use `systemctl` on my CentOS machines 12:08 < Jakey3> ok, thanks for the heads up 12:09 <@Eugene> I dont know what the current state is in Ubuntu; the CentOS packages will let you turn individual foo.conf on/off via systemd/systemctl magic 12:10 < Jakey3> ok 12:10 <@Eugene> `systemctl start|stop|enable|disable openvpn@foo` 12:10 <@Eugene> Where you're using /etc/openvpn/foo.conf 12:11 <@dazo> Eugene: yeah, that's true ... *if* the ca.key is protected with root-only privileges (that may just as often not be the case) ... plus, as I said, you can't be sure somebody did not copy the ca.key and then start issuing certs for their own need ... which may be to abuse your VPN server for whatever they want ... if it is snooping on your VPN tunneled traffic or using it for proxying traffic is really not that hard to imagine 12:12 <@Eugene> That sort of adversary could just as easily intercept your kernel 12:12 <@dazo> Eugene: Jakey3: Another issue the digitalocean does not touch ... that you really do need a good random number generator when producing dh*.pem and key files ... most VPS hosts does not have that, which produces weak keys - even if you have 4kbit keys 12:12 <@dazo> Eugene: replacing the kernel is somewhat harder though 12:13 < Jakey3> fair enough 12:13 <@dazo> Eugene: and if you have SELinux enabled .... that will also protected quite well ... modern kernels do module signing as well, which makes it harder to inject non-signed modules 12:13 <@Eugene> Anybody with host access can dump your RAM, end of story 12:13 < Jakey3> im just setting up the vpn to circumvent my parents parental lockdown on the home trouter 12:13 < Jakey3> *router 12:13 < Jakey3> haha 12:14 <@Eugene> If you have a shell on my box, I assume you have root through an unpatched CVE. 12:14 < Jakey3> so no need for top security this time 12:14 <@Eugene> And if you have root, I assume you have hypervisor control through similar methods 12:14 <@Eugene> And if you havve hypervisor control, I'm boned. 12:14 < Jakey3> i mean set by the isp not home router 12:14 <@Eugene> Jakey3 - good on ya. Just don't get beaten for it ;-) 12:15 <@Eugene> parents, nothing but trouble 12:15 < Jakey3> haha, well im near 30 so unlikely 12:15 <@Eugene> Brutal 12:16 <@dazo> Eugene: the less you trust a host, the less reasons why to put anything likely interesting on it ... like key files you normally don't need on a day-by-day basis 12:17 <@Eugene> Yup. Or, and what I'm advocating, is that you stop caring about the NSA when all you're protecting is cat photos and some porn browsing 12:17 <@Eugene> Which is pretty close to DO's target audience 12:17 < Jakey3> lol 12:18 <@Eugene> My IT security views are so pessimistic that I've come full-circle to running it unencrypted because it's easier, and you've already lost 12:18 <@Eugene> !shotgun 12:18 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 12:19 <@dazo> well, we have different views on IT security 12:19 <@Eugene> I totally agree with you and you're right. It's just pointless 12:20 < tpanarch1st> so am I right in saying that to copy the relevant bits of the file to the openvpn configuration file, i can either copy the bits out of the CRT or alternatively just transfer the CRT file at the same time? 12:20 < tpanarch1st> and skip that stage of the tutorial 12:21 <@Eugene> tpanarch1st - you can copy the certificate as a file(typically ending in .crt) and refer to it with --cert, or you can copy-paste the contents into your config file "inline", surrounding it with 12:21 <@dazo> tpanarch1st: I started writing this "simpler howto" a long while ago ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:21 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 12:21 <@dazo> it should get you through most obstacles 12:21 * dazo just remembered that now) 12:22 <@Eugene> See the man page section INLINE FILE SUPPORT for more info 12:22 < tpanarch1st> dazo: thanks :-) I've saved that in my bookmarks! 12:22 <@dazo> oh, it was actually meant just as much for Jakey3 :) 12:26 < tpanarch1st> dazo: handy read though - sorry :-D 12:26 <@dazo> :) 12:27 < tpanarch1st> Eugene: thanks :) 12:27 < Jakey3> thanks 12:27 <@Eugene> !beer 12:27 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 12:34 < tpanarch1st> how do I know if i'm using UDP or TCP please - I suspect it would be TCP as my friend helped me last year 12:34 <@Eugene> The default is UDP. Your config should have "tcp" or 'udp' in it 12:34 <@dazo> tpanarch1st: you should generally always try UDP by default 12:34 < tpanarch1st> ah eugene which is the config file please :) 12:35 <@dazo> Eugene: you don't need --proto udp ... that is the default if it isn't configred. --port is set to 1194 by default too 12:35 <@Eugene> dazo - "The default is UDP." 12:35 < _FBi> !seen krzee 12:35 <@vpnHelper> krzee was last seen in #openvpn 18 hours, 26 minutes, and 39 seconds ago: glad it helped! 12:36 < tpanarch1st> dazo: are you referring to the tutorial :) 12:36 <@dazo> tpanarch1st: no, not really 12:37 <@dazo> tpanarch1st: regarding to "which config file" ... that depends, there are no "default" config file ... but most distros have their set of standard locations for the config files 12:37 <@dazo> distros/installations 12:38 < tpanarch1st> dazo: this is on an OpenWRT router - could it be sysctl.conf? 12:38 <@dazo> nope 12:38 < tpanarch1st> ah so not in the OpenVPN directory 12:38 <@dazo> oh, openwrt has its own weird config syntax if you use /etc/config and the init.d script shipped with openwrt 12:39 < tpanarch1st> is that what i should do :) 12:39 <@dazo> you normally just put 10-15 config lines into a file somewhere and do: openvpn --config /full/path/to/config-file.conf 12:41 < tpanarch1st> eeek i just have no idea for my purpose dazo 12:41 <@dazo> tpanarch1st: go the simple path first ... which is what I described 12:42 < tpanarch1st> dazo: bit frightened deviating from the tutorial 12:42 < tpanarch1st> got no comeback then :) 12:42 <@dazo> which tutorial? 12:42 < tpanarch1st> dazo: http://blog.remibergsma.com/2013/03/13/secure-browsing-on-ios-iphoneipad-using-openvpn-and-the-raspberry-pi/ 12:43 <@dazo> okay, so yet another unofficial tutorial .... :/ 12:43 < tpanarch1st> if you skip to "Preparing and importing the OpenVPN configuration file" 12:43 < tpanarch1st> it's the same one i've been following throughout, really difficult to get one that explains in a way i understand 12:45 * dazo need to move ... back in a while 12:47 < tpanarch1st> ah thanks for your time dan_j 12:47 < tpanarch1st> dazo: * 13:07 -!- ghoti_ is now known as ghoti 14:05 < tpanarch1st> hmmm im currently getting ssl read error, X509 certificate verification failed, eg crl, ca or signature check failed when trying to connect with the openvpn client on the iPhone, any ideas please? 14:40 -!- abra0 is now known as and 14:51 -!- and is now known as abra0 15:48 < tiller> hi 15:48 < tiller> A friend of mine is having a really weird issue with OpenVPN. He's trying NOT to have his internet traffic going through the VPN, but it just does 15:49 < tiller> The weird thing is that when we look his route, his default's route has a metric of 20 (0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 20) and his VPN's route has a metric of 30 (0.0.0.0 mask 128.0.0.0 10..... metric 30) 15:49 < tiller> (he's using Windows) 15:49 < tiller> But when trying tracert 8.8.8.8, the first hop is the VPN server instead of his internet router 15:49 < tiller> We tried to increase the metric to 999+, but tracert still followed the VPN's route 15:49 < tiller> any idea on the issue here? 15:51 < DArqueBishop> !configs 15:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:54 < tiller> !paste 15:54 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:57 < tiller> (client http://fpaste.org/322029/14553139/ ) 16:00 < tiller> (server http://fpaste.org/322035/55314157/ ) 16:02 < tpanarch1st> hello, ive emailed my cert to myself so my friend is annoyed with me and says i'll need to change everything, is it difficult to do please? 16:16 < DArqueBishop> tiller: I see your problem. The server is configured to have clients send internet traffic through the OpenVPN server. 16:18 < tiller> DArqueBishop: we want the server to be able to have the traffic going through the server. We then have 2 different client configs to chose whether to redirect the traffic or not 16:19 < tiller> with my server and on my computer, it works fine. But for him it doesn't go that well, if we -should- have the same configs 16:20 < DArqueBishop> tiller: I could be wrong, but then you'd want redirect-gateway on the client configs but not on the server, 16:21 < tiller> oh gosh, you're right. He didn't comment out the push redirect 16:21 < tiller> We'll test that, but I think you're right 16:23 < Neighbour> tpanarch1st: the cert is public, the key isn't....as long as the key is still private, there's no need to change anything 16:24 < tpanarch1st> Neighbour: ive emailed a pk12 and a .cert 16:24 < Neighbour> hm, the pk12 could contain the private key 16:24 < tpanarch1st> yep¬ 16:24 < tpanarch1st> this is what my friend is pissed at me for 16:25 < Neighbour> well, the next step on the server would be to revoke your cert and create a new key/cert pair 16:30 <@plaisthos> yes OpenVPN for android offers you to import pkcs12 into the android keychain 16:33 < tiller> DArqueBishop: That was it. Thanks mate 16:35 < knightmoves> what's the process model for openvpn? e.g., does each client get its own forked off process? 16:35 <@plaisthos> no 16:35 <@plaisthos> single thread 16:35 <@plaisthos> everything handled by one process 16:36 < knightmoves> thanks 17:56 -!- dazo is now known as dazo_afk 18:40 < toothe> I'm trying to get a tunnel working, but I Get a series of these errors: http://dpaste.com/3K9H3R0 18:40 < toothe> the second part repeats again and again. 18:51 < Jakey3> when i connect to my openvpn from an ubuntu machine i get the following error 18:51 < Jakey3> Can't find host 2.ubuntu.pool.ntp.org: Name or service not known (-2) 18:51 < Jakey3> any idea 18:51 < Jakey3> it connects but no access to the internet 19:02 < Jakey3> ? 19:22 < toothe> gah 19:22 < toothe> im getting this repeat error --- Day changed Sat Feb 13 2016 02:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 06:36 -!- rich0_ is now known as rich0 07:02 < k2gremlin> Morning all. 07:02 < hiya> hi 07:08 < k2gremlin> So I can pass traffic from OVPN Server to Client LAN machines. Tested by using SSH to a Client LAN Ubuntu, and telnet to several ports on Server 2012 Machine on Client LAN. However, Server LAN clients cannot do the same. 07:08 < k2gremlin> The traffic from the server LAN never hits the tun0 interface... per tcpdump 07:09 < Neighbour> is ipv4 forwarding enabled? 07:11 < Neighbour> and does the default gateway (or all the clients where you want to do this at) have a route to the client LAN ip's? 07:11 < Neighbour> ^ on the server LAN 07:12 < k2gremlin> Yes and Yes. cat for the ip_forward returns 1 on the server. Clients on the Server LAN can Ping clients on the client LAN. 07:12 < k2gremlin> My PC can actually pull a web page from a Client Webserver. 07:13 < k2gremlin> using private IP's 07:13 < k2gremlin> But My PC cannot ssh to the client LAN webserver 07:13 < Neighbour> and your PC is on the server LAN? (probably, but checking anyway) 07:13 < k2gremlin> My OpenVPN server is also running a transparent proxy that intercepts 80 and 443.. but thats it. 07:13 < k2gremlin> Yes 07:14 < Neighbour> do you perform any NAT between both LANs? 07:14 < k2gremlin> Only on the outbound WAN connection 07:14 < Neighbour> ok, so that's not it either :) 07:15 < k2gremlin> traffic shouldnt make it that far.. Server LAN GW is the OVPN Server Eth1. Client LAN GW is the OVPN client AC66R router 07:15 < Neighbour> can you ping the webserver from your pc? 07:15 < k2gremlin> Yep 07:15 < k2gremlin> and I see that icmp traffic on the tun 07:15 < Neighbour> then something is firewalling your ssh connection 07:15 < k2gremlin> but when I try to ssh.. I only see traffic on the eth interface 07:15 < Neighbour> if you can ping (and receive replies), the networking infrastructure is working fine 07:15 < k2gremlin> idk what it could be.. I can't telnet to a variety of ports either 07:16 < k2gremlin> The OVPN server can telnet to the ports I need.. but the PC can't 07:16 < Neighbour> does the openvpn server have iptables entries in the filter chain/ 07:16 < k2gremlin> with the transparent proxy in place, I have external and internal zones. 07:16 < k2gremlin> I added tun0 to my internal zone and the appropiate ports allowed. 07:16 < Neighbour> `iptables -L -n -v` 07:16 < k2gremlin> using firewalld 07:17 < Neighbour> all firewall software eventually uses iptables to do the real work :) 07:17 < k2gremlin> really.. 07:17 < Neighbour> well, on linux anyway :) 07:17 < k2gremlin> well I don't know what I am doing when it comes to iptables :/ 07:17 < k2gremlin> I can pastebin my results from that command.. 07:17 < k2gremlin> its long lol 07:18 < Neighbour> the output should show the INPUT chain, the FORWARD chain (which is where we want to look at) and the OUTPUT chain 07:18 < k2gremlin> http://pastebin.com/Awc0QpiZ 07:18 < Neighbour> INPUT and OUTPUT concern the server itself, but FORWARD is applied to traffic passing through (like the ssh you want to get working) 07:19 < k2gremlin> I feel like your knowledge is going to be like ah-ah! theres your problem.. 07:21 < k2gremlin> Neighbour, looks like there isnt much on the forward chains at all 07:21 < Neighbour> it has jumps to other chains 07:21 < k2gremlin> forward_zone_out shows accept icmp 07:22 < k2gremlin> but it doesnt have say.. http.. but I can still web 07:22 < Neighbour> your PC is on the eth0 LAN (seen from the server)? 07:22 < k2gremlin> Eth1 07:22 < k2gremlin> Eth0 is WAN 07:22 < Neighbour> ok 07:24 < Neighbour> there are allow rules for port 22 in IN_internal_allow, IN_public_allow, IN_external_allow 07:24 < Neighbour> now let's see to which one your connection should fall (or doesn't) 07:25 < Neighbour> that would be none, since those are all referenced (directly or indirectly) from the INPUT chain 07:25 < Neighbour> and that's only used for connections to the server itself 07:26 < k2gremlin> One note, on the client webserver, I did change the port to 8823 in an attempt to use something other then 22.. didn't work.. lol 07:26 < k2gremlin> Ok I am following.. sort of 07:26 < Neighbour> so somehow a rule for port 22 (or whichever port you want to use) should be added to one of the FORWARD chains 07:27 < k2gremlin> I can add a forward with firewalld 07:27 < k2gremlin> on the internal zone 07:27 < Neighbour> I think this one: FWDI_internal_allow 07:28 < Neighbour> give it a try 07:30 < k2gremlin> Ok I did "firewall-cmd --zone=internal --add-forward-port=port=53:proto=tcp:toaddr=192.168.1.185" .185 is a ADDS Server. I can telnet from my PC now.. interesting 07:30 < k2gremlin> So I have to do that for EVERY port I need access to? 07:30 < k2gremlin> No way to say any traffic for 192.168.1.x put on tunnel? 07:32 < Neighbour> depends on how firewalld works 07:32 < k2gremlin> yea I am researching it now 07:32 < Neighbour> in iptables you can basically tell it to allow traffic from a subnet on a port to another subnet (or interface, or everything)... 07:32 < Neighbour> iptabels is very flexible :) 07:32 < Neighbour> iptables* 07:34 < Neighbour> I think you should be able to use 192.168.1.0/24 as tcp:toaddr-value 07:34 < k2gremlin> So with this setup.. even though I primarily use firewalld, can I still make an entry to IPtables? 07:34 < k2gremlin> say an entry like "anything from 192.168.2.X to 192.168.1.X forward to tun0 interface? 07:34 < Neighbour> yep, though when you change something in firewalld, i'm not sure if your manual change in iptables will survive :) 07:35 < k2gremlin> lol... fk.. 07:35 < k2gremlin> even with an iptables-save? 07:35 < Neighbour> but that depends entirely on how firewalld is built 07:35 < Neighbour> iptables-save saves all the iptables-entries 07:36 < Neighbour> but if you change something in firewalld, the iptables-entry for that change gets added...so when you reload your saved iptables, that firewalld-change gets lost 07:36 < Neighbour> best to do all changes from one source :) 07:36 < Neighbour> which means figuring out how to set the forward rule in firewalld 07:37 < k2gremlin> Yep will do 07:37 < k2gremlin> Over to the linux channel I go :) 07:37 < k2gremlin> thanks a bunch 07:38 < Neighbour> the quick fix in iptables would be something like `iptables -I FORWARD 2 -i eth0 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT` (untested) 07:38 < Neighbour> -p tcp is not even needed (unless you are going to specify ports) 07:39 < Neighbour> you could also specify -o tun0 here, but since the routing table should determine that 192.168.1.* should go to tun0 anyway, I left it out 07:52 < k2gremlin> Neighbour, sorry got DC'ed testing firewall lol 07:53 < k2gremlin> Neighbour, This is working perfect.. http://pastebin.com/Vkp5gFMs However, Like you said, when I restart firewalld.. it deletes these lol 07:54 < k2gremlin> So now.. I need to figure out how to make his AC66R router forward that stuff back.. 07:58 < k2gremlin> hmm, the AC66R doesnt give me an option to select the tun interface.. 08:11 < Neighbour> you don't have to select the tun interface if you can select the IPrange 08:53 -!- Amplificator_ is now known as Amplificator 08:53 < k2gremlin> Neighbour, Understood. Also figured out why I couldnt SSH to his webserver even after getting the rest working. He still OpenVPN server running that was creating a route for my network over its own tun0 interface. We had previously tried setting up the VPN connection on servers below the router 12:15 < dmaiocchi> hi all, is there a testsuite from openvpn for testing purpose= 12:15 < dmaiocchi> =? 13:00 < saik0> I'm trying to do a perf test between two bsd jails on the same box. ovpn is connected between them, ips/ routes look like this http://pastebin.com/KmJM5XpB 13:01 < saik0> But pings from one to the other through the tunnel timeout 13:02 < saik0> Am I missing something with the routes? 14:56 < evilroots> hi 14:56 < evilroots> i havea vps i setup 14:56 < evilroots> openvpn is running and i have oopen vpn on my windows 7 running but 14:57 < evilroots> i cannot setuop a http or socs proxy 14:57 < evilroots> and i cant seem to open the config file on vps 14:57 < evilroots> root@c1560:~# oepnvpn --config file 14:57 < evilroots> -bash: oepnvpn: command not found 14:57 < evilroots> root@c1560:~# openvpn --config file 14:57 < evilroots> Options error: In [CMD-LINE]:1: Error opening configuration file: file 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn --config 14:57 < evilroots> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.3.4) 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn -config 14:57 < evilroots> Options error: In [CMD-LINE]:1: Error opening configuration file: -config 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn --config 14:57 < evilroots> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.3.4) 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# 14:58 < evilroots> --help is of no help 20:09 < linuxthefish> hey, i'm using openvpn tap for layer 2 routing - is there any way i can tell it not to give clients an IP? 20:12 < linuxthefish> i've tried changing to p2p topology, but openvpn fails to start 20:16 < linuxthefish> ah logging fixed thanks! 20:31 < Pinchiukas> I'm running OpenVPN in an LXC container and I'm having trouble making it work. I can ping the VPN endpoint, the OpenVPN container local IP but I don't get replies from the default 10.0.3.1 - lxc host-side IP. 20:31 < Pinchiukas> Forwarding is turned on in the OpenVPN container. --- Day changed Sun Feb 14 2016 03:24 < Unsyncd> Hi guys, may someone can help me, is it possible to setup OpenVPN client for a dedicated server, only for one user ? 03:25 < Unsyncd> Because I would like to link my server to an another trought OpenVPN, but when I do, my server isn't accessible from outside 05:39 < PowerKiller2> aww, he left 05:39 < PowerKiller2> I could help him 09:56 < KermitTheFragger> hi all 09:56 < KermitTheFragger> i'm banging my head against an issue and im hoping for some insights 09:57 < KermitTheFragger> i'm experiencing high packetloss in my VPN tunnels 09:57 < KermitTheFragger> when I ping i lose about half of them 09:57 < KermitTheFragger> i checked for MTU problems but cant find any 09:58 < KermitTheFragger> it started this friday all of a sudden...im thinking my ISP made some sort of config change 09:59 < KermitTheFragger> so i did some tests by sending UDP packets (I use OpenVPN over UDP) of various sizes and checking if they get lost 09:59 < KermitTheFragger> but none of the packets get lost. And outside of the tunnel i experience no packetloss at all 09:59 < KermitTheFragger> the joke is, that if i open a VPN tunnel from my inside network (different network segment) it works fine, no packet loss whatsoever 10:00 < KermitTheFragger> but all VPN tunnels over the Internet connection seem to experience that problem 10:00 < KermitTheFragger> but i can't reproduce it outside of the tunnel. I would expect to be able to reproduce UDP packets which get "lost" 10:03 < KermitTheFragger> does anyone know what, besides MTU, can cause packetloss inside the tunnel? 17:58 < sweatsuit> i'm hitting a wall trying to connect a ipv6 client to ipv4 server. does anyone know how? 18:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:23 -!- mode/#openvpn [+v s7r] by ChanServ 19:27 < wiz> sweatsuit: you mean some kind of 6to4 xlation ? 19:28 < wiz> or do you mean you have no ipv4 address at all, ie. you're on an ipv6 only network? 23:04 -!- frank-- is now known as thumbs2 23:04 -!- thumbs2 is now known as httpd 23:05 -!- httpd is now known as thumbs 23:23 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 23:23 -!- mode/#openvpn [+o krzee] by ChanServ 23:40 < sweatsuit> wiz: I'm at a location with ipv6 connection and trying to connect to my server that is ipv4 only 23:41 < wiz> is it dual stack v6 and v4 or v6 only? --- Day changed Mon Feb 15 2016 03:29 < freekevin> sweatsuit test your ipv6-test.com 03:30 < freekevin> you must have a ipv4 ip associated with that ipv6 connection 03:30 < freekevin> or you would not be chatting here 03:30 < freekevin> or does freenode have an ipv6 connect address? 03:36 -!- dionysus70 is now known as dionysus69 04:35 < hotbobby> hi all. i cant get ipv6 to work over my vpn. my host gives me a native /64, i fixed sysctl.conf and set my firewall to allow forwarding. here is server/client conf as well as server/client ifconfig and logs http://pastebin.ca/3374268 04:35 < hotbobby> id really appreciate any help. i just cant figure this one out 04:37 < hotbobby> i cannot ping the endpoint of the tunnel once connected either, if that helps 05:30 < netizen> Hi 05:30 < hiya> hi 05:31 < netizen> Anyone could hint me about why $proto is empty on my CONNECT/DISCONNECT scripts ? 05:31 < hiya> which script? 05:32 < netizen> I've got a gentoo fw with 10 vpn daemons, and a handfull of clients, because config requirements, and a centralized log server 05:32 < netizen> Sample from one of them 05:32 < netizen> script-security 3 05:32 < netizen> client-connect "/usr/local/bin/vpn ais CONNECT" 05:32 < netizen> client-disconnect "/usr/local/bin/vpn ais DISCONNECTED" 05:32 < netizen> this is one of the server configs 05:33 < netizen> the vpn script has: 05:33 < netizen> logger -n rex -P 999 -t VPNx[${1}${action}${action}] -- ${action}${rhostname} ${ifconfig_pool_remote_ip}" ("${trusted_ip}/${proto}")" ${signal} ${time_duration};; 05:33 < netizen> but it always logs "(tusted_ip/)" ($proto is empty) 05:34 < hiya> netizen, in logs? 05:34 < netizen> the script uses the binary "logger" to send custom log entries to the central syslog 05:37 < hiya> I do not follow, sorry 05:39 < netizen> 20160215 114425 fw2 VPNx[ais++] 20º aisl.ais.vpn.region.ou 10.21.9.36 (edi.te.d.ip/) 05:40 < netizen> That's a sample syslog entry, the internal and external IPs are set by the vpn daemon, as show in the man page (trusted_ip/ifconfig_pool_remote_ip) 05:41 < netizen> I'll try the forums and/or serverfault, thx for trying :) 05:41 < hiya> netizen, I don't know why won't it print proto 06:57 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 06:59 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 06:59 -!- mode/#openvpn [+o krzee] by ChanServ 07:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 07:17 -!- mattock_ is now known as mattock 08:29 -!- skyroveRR_ is now known as skyroveRR 09:26 < sweatsuit> wiz: it looks like it's dual stack 09:28 < sweatsuit> freekevin: i can make ipv4 connections to my server, but my web browser reports an ipv6 IP that doesn't change when VPN is connected. Does this mean my browser traffic is not secured to VPN? 09:50 < ohsnap> hey all. i thought i remembered seeing this option somewhere but i cant find it right now. i currently have openvpn doing 2fa auth 09:51 < ohsnap> using client/server keys + their username/password from the local unix machines accounts 09:52 < ohsnap> the problem i have is i want to make sure that a person can only use their username/password combo with the cert that was generated for them (the certs were signed with their local accounts username as the 'common name') 09:52 < ohsnap> so in other words i want to make sure that one user can't use their certs to connect using the username/password credentials for a different system account 09:53 < ohsnap> in my case, i can log into the VPN using my own keyfiles, but supply the username/password for any other account on the system (root, etc) 09:54 < hiya> ohsnap, So you want auth method as Password with TLS (Certs) 09:55 < hiya> and such that each user has its own certs + user/pass? 09:55 < ohsnap> what i want is so that a user cannot use someone elses user/pass and their own cert 09:56 < hiya> Oh 09:56 < ohsnap> in other words, i want the openvpn server to say 'yes that is a valid cert, and that is a valid username/pass, but the username you supplied does not match the common name from the cert so access denied' 09:58 < hiya> ohsnap, then keep the username + tls-certs name same? and give the user only his own password-username? 09:59 < hiya> and if you do not use duplicate cert in server.conf then users cannot reuse the certs 10:00 < ohsnap> hiya, well, that is what i thought i did but let me explain 10:01 < ohsnap> this weekend i was out of town and i needed to connect to the vpn. i have my .ovpn file that contains all my key info, but i also have the auth-user-pass thing enabled 10:02 < hiya> ok 10:02 < hiya> and? 10:02 < ohsnap> so i couldnt remember my vpn account creds because i never use them... but, on a whim i decided i would try my real account creds (the account that is actually a real shell account, not just one that i made that has a shell of passwd) 10:02 < ohsnap> so i typed in my real creds, which username does NOT match the common name in my cert, and it still let me on 10:03 < hiya> ohsnap, ok that is sad news 10:04 < ohsnap> i guess i should just be asking this: is it the default behaviour of openvpn to check the common name of a cert and compare it to the username that was supplied using auth-user-pass? 10:05 < ohsnap> or does it not care about that by default unless you specify an option to check the common name vs username? 10:09 < hiya> ohsnap, wow let me try it too :) 10:09 < ohsnap> hiya: https://forums.openvpn.net/topic7733.html 10:09 <@vpnHelper> Title: OpenVPN Support Forum common-name-as-username : Wishlist (at forums.openvpn.net) 10:09 < ohsnap> it looks like someone noticed this in the past also, checking if anything was done about it 10:11 < hiya> ok 10:17 < hiya> ohsnap, ok 10:17 < hiya> So in my tests 10:18 < hiya> ohsnap, you on? 10:18 < ohsnap> yes 10:18 < hiya> See, when I tested it 10:18 < hiya> regardless of what username password they use 10:18 < hiya> they would always be identified as the common name of the Certs they have 10:19 < ohsnap> so in your test you can mix and match the certs with any valid username/password and it still lets you onto the VPN? (and identifies you by the certs common name, regardless of which username/password you use?) 10:20 < hiya> ya 10:20 < ohsnap> ok, same here. just making sure 10:21 < hiya> ohsnap, So what is problem? W/e he does, he is still being identified as that user with certs only 10:21 < hiya> then? 10:21 < ohsnap> no my problem is this 10:21 < hiya> it seems like a good feature to me :P 10:21 < ohsnap> my boss fired the other co-worker here, and i wanted to make sure he was locked out of the vpn 10:22 < ohsnap> so im worried because technically he may have had access to other peoples private certs and their username/passwords 10:22 < ohsnap> even though i removed his account, he could still have a way in now, because he can mix and match anyones cert + anyones username/password 10:22 < hiya> ohsnap, Can everyone's password 10:22 < hiya> change* 10:22 < hiya> done 10:22 < hiya> :) 10:22 < ohsnap> :( 10:23 < hiya> Why sad? 10:23 < ohsnap> that is a lot of passwords 10:23 < hiya> how many? 10:23 < ohsnap> too many to want to do that 10:25 < hiya> there is just no solution to it 10:25 < hiya> because he could just be having anyone's certs + user/pass 10:25 < hiya> even if you set it such that both has to match 10:26 < hiya> the only viable solution is 10:26 < hiya> traffic limitation or password change 10:30 < hiya> ohsnap, the link you shared already have a solution 10:31 < ohsnap> hiya: the solution i saw it it was modifying the pam plugin which i want to avoid, or something else related to a script that i didnt understand 10:32 < hiya> ohsnap, but how would it help you? 10:33 < hiya> that client might just be having access to multiple persons user/pass + certs 10:34 < ohsnap> ive already decided 10:34 < ohsnap> im going to nuke whole setup and start over 10:34 < ohsnap> but i want it set up so that going forward 10:34 < ohsnap> you can only log in with YOUR username and YOUR cert 10:34 < ohsnap> not someone elses username and your cert 10:34 < hiya> ok 10:34 < ohsnap> not someone elses cert and your username 10:34 < hiya> not someone elses cert and your username <-- this is not possible 10:34 < hiya> :) 10:35 < hiya> unless the user is NOT online 10:35 < ohsnap> it was possible for me this weekend 10:35 < ohsnap> i connected to the vpn using my cert, but not my vpn username (a totally different account) 10:35 < hiya> ok 10:35 < hiya> That is possible 10:36 < hiya> but how can you use other's cert + your user/pass when the other user is on? 10:36 < ohsnap> we are talking about totally different things here 10:36 < ohsnap> i dont know if that would work, i dont care if that would work 10:36 < hiya> ok 10:37 < hiya> I see 10:37 < ohsnap> right now i only care about an ex employee that may or may not have some valid certs and some valid usernames/passwords 10:37 < ohsnap> and their ability to log on the vpn 10:37 < ohsnap> that is all i care about 10:38 < hiya> ohsnap, you are right but he could be having valid certs + user/pass for many? 10:38 < ohsnap> i 10:38 < ohsnap> dont 10:38 < hiya> What would you do in that case? 10:38 < ohsnap> know 10:38 < ohsnap> that is why im nuking the entire server 10:38 < ohsnap> and starting over 10:39 < hiya> ok 11:32 < adac> With openvpn, does all the traffic go trough the openvpn server? 11:40 <@Eugene> You can set up openvpn to tunnel internet-bound traffic, yes. 14:19 <@krzee> !beer 14:19 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 14:22 < saik0> Can I disable openssl aes-ni in openvpn? (to compare throughput enabled and disabled) 14:27 < saik0> I tried setting OPENSSL_ia32cap="~0x200000200000000" but that didnt seem to have any effect in iperf bench, while it was a 2.6x delta openssl speed -evp aes-256-cbc 14:46 <@krzee> !factoids search aes-ni 14:46 <@vpnHelper> No keys matched that query. 14:46 <@krzee> !factoids search 14:46 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 14:46 <@krzee> !factoids search --values aes 14:46 <@vpnHelper> No keys matched that query. 14:46 <@krzee> !speed 14:46 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 14:46 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 14:46 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 14:46 <@krzee> hmm 14:47 <@krzee> !factoids search jjk 14:47 <@vpnHelper> No keys matched that query. 14:47 <@krzee> !gigabit 14:47 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 14:47 <@krzee> i swear theres info somewhere on that bot lol 14:53 < saik0> For completeness, I have auth none (so unaccel HMAC does not slow down perf test) and comp-lzo no 15:03 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:18 -!- ketas- is now known as ketas 17:25 < grendal_prime> hey i have a client when it connects it tries to forward all traffic through the vpn. Dns stops working immediatly and i cannot get to the internet through the local lan connection. 17:26 < grendal_prime> what is the config entry to only send traffic destined for its own network? 17:28 < grendal_prime> so like say my vpn server is on 10.8.6.1 I only want traffic destined for that network to go through the vpn...nothing destined for default gateway. 17:29 < grendal_prime> !ovpnuke 17:29 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 17:29 < grendal_prime> !heartbleed 17:29 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 17:29 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 17:32 < saik0> grendal_prime: on server: push "route 10.8.6.0 255.255.255.0 10.8.6.1" 17:43 < grendal_prime> interesting...i think im already doing that... 17:43 < grendal_prime> im going to have to go back up to the site. 17:48 < saik0> grendal_prime: oh, see if you have redirect-gateway on the client 17:48 < saik0> or pushed to it 23:01 -!- abra0 is now known as tichy 23:02 -!- tichy is now known as abra0 --- Day changed Tue Feb 16 2016 00:42 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 00:43 -!- mode/#openvpn [+o krzee] by ChanServ 03:26 < nanok> hello 03:29 < nanok> i setup this openvpn server running on tcp. it seems every time reneg-sec elapses (about 1h), for each and every user, i get the dreaded "TLS keys out of sync", and the user ends up disconnected, only way back is relogin. i'm stumped to be honest, "i don't get it". i must be missing something obvious i'm sure 03:30 < nanok> btw, users are on various clients and platforms (windows, linux, mac) it happens to all of them regardless 03:36 < nanok> i tried to google for it, but for the most part people talk about this happening with udp, seems it should be almost impossible with tcp. version is 2.3.4-5+deb8u1 (packaged by debian) 03:38 < nanok> !paste 03:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 03:39 < nanok> right 03:49 <@krzee> nanok: 03:49 <@krzee> !configs 03:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 03:51 < nanok> krzee: hello. alright, let me pastebin it then 04:01 < nanok> krzee: https://gist.github.com/anonymous/3b61882a64dc29aaba2b#file-ovpn-server-conf 04:01 <@vpnHelper> Title: openvpn server config · GitHub (at gist.github.com) 04:03 <@krzee> and the client...? 04:04 < nanok> krzee: yeah, on it, sorry 04:07 < nanok> https://gist.github.com/anonymous/6647c2a59114abfb883e#file-client-ovpn-conf 04:07 <@vpnHelper> Title: client-ovpn.conf · GitHub (at gist.github.com) 04:36 < nanok> krzee: and the errors look like this "TLS Error: local/remote TLS keys are out of sync" 06:33 < Terminus-> hello. question, for password auth, does openvpn have an internal mechanism for it or must you use an external script with --auth-user-pass-verify? 07:17 < aix> Hi! 07:21 < aix> My IPv6 doesn't seem to work, I'm using OpenBSD and here's the server-side config: http://pastebin.com/gg3nnzLK 07:22 < aix> Here's the client bits http://pastebin.com/nvrhxfPp 07:30 <@plaisthos> ==\] 07:30 <@plaisthos> ==\]['] 07:30 <@plaisthos> \ 07:50 <@plaisthos> argh 08:16 < aix> hi 08:56 < adac> Guys, can OpenVPN be a bottleneck? I eman if all traffic goes trough the server at one point it would get slow, right? 08:56 < nanok> Terminus-: there are many options, including pam. you'll have to read a bit the docs/howto's, there's no short answer to your question 08:57 < skyroveRR> adac: can be, there's the TLS overhead. Much like any other VPN. 08:57 < Terminus-> nanok: i was looking for just a simple way to do it, like something similar to an htaccess file. 08:57 < nanok> does anybody have some hints regarding a tcp ovpn server, spitting this out every hour or so for each user that reaches the hour? "TLS Error: local/remote TLS keys are out of sync" 08:58 < nanok> Terminus-: i'd google for a howto (or a few), there's many ways to set it up, and you'll easily find one that you like 08:59 < adac> skyroveRR, I just imagine having a huge and very popular application with many nodes. Connecting this app to on single VPN server, would probably at some point make problems 08:59 < Terminus-> nanok: errr, i meant htpassword. gotcha, thanks. 09:01 < adac> skyroveRR, mean is there some kind of clustering possible with OpenVPN, so that I could add yet another server at any time when the traffic cannot be handled anymore by one server? 09:01 < skyroveRR> adac: IDK about that.. 09:02 < adac> skyroveRR, kk thanks anyways! :) 09:02 < skyroveRR> You'll have to failover in some other way.. 09:02 < skyroveRR> But I don't think openvpn has such a feature. 09:02 < skyroveRR> Never come across one.. 09:04 < skyroveRR> adac: why not have both vpn1.example.com and vpn2.example.com up and running? IF you think vpn1.example.com fails, simply tell the client do disconnect and jump over to vpn2.example.com. 09:04 < skyroveRR> You can of course automate it by scripting it. 09:05 < adac> skyroveRR, Exactly I do have such a solution that is working fine (it is not in production yet here) 09:05 < adac> the problem only is: what happens if the VPN becomes a bottleneck in terms of traffic that needs to go trough one node 09:06 < adac> I'm not sure if that can happen, just asking :) 09:06 < adac> but theoretically as everything goes trough the server, there can be such a problem at some point I guess 09:06 < skyroveRR> Like? 09:07 < adac> like having 20 frontend server and 15+ database server that all are communicating trough this VPN 09:07 < adac> just an example ;) 09:07 < adac> (I don't have that much yet :P ) 09:08 < skyroveRR> adac: well, then that would depend on how much your database servers are at ease then.. 10:27 < aix> hi 10:30 <@plaisthos> !ask 10:30 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 10:32 < nanok> does anybody have some hints regarding a tcp ovpn server, spitting this out every hour or so for each user that reaches the hour? "TLS Error: local/remote TLS keys are out of sync" (configs and more details available if somebody is available) 10:32 <@krzee> hey aix last night you did not post the client config 10:32 < aix> got the other two though? 10:33 <@krzee> two? 10:33 < aix> https://spit.mixtape.moe/view/88144d7c#BQEvI9NnqlDgLBU9jTnxhrSULN3Ls7VF https://spit.mixtape.moe/view/875c6a4c#UPEwZNUt8RZPMRbna3efreWvqCz7ajMc 10:33 <@vpnHelper> Title: Untitled - Mixtape Paste (at spit.mixtape.moe) 10:33 <@krzee> got the server config and some random pings and ip command i didnt want 10:33 < aix> Here's the client https://spit.mixtape.moe/view/8ad263ac#1NKgP3rpz3R5fq5GJc0F9UUlhfRsDB3u 10:33 <@vpnHelper> Title: Untitled - Mixtape Paste (at spit.mixtape.moe) 10:34 < aix> Basically, I can reach any ipv6 or v4 address on the box but not external addresses (v4 works, v6 doesn't) 10:34 < saik0> In server mode with persist-tun, ifconfig-noexec, route-noexec (*-script are undef). tun and routes are setup at boot by OS. ovpn is taking the tun down when it exists 10:35 <@krzee> oh my bad i had confused you with somebody else 10:35 < aix> krzee, me? 10:35 < aix> I was on last night, and had to leave suddenly 10:35 <@krzee> ya i wasnt waiting on your client config stuff yesterday, oops :D 10:36 < saik0> FreeBSD 10.2-Release, openvpn 2.3.10 buld from ports 10:36 <@krzee> saik0: so whats wrong? 10:37 <@krzee> you want openvpn to not close tun on its way out? 10:37 <@krzee> if you drop permissions it wont be able to 10:38 < saik0> @krzee Its running in a jail, it can ake the tun down or up, but cant set the IP 10:38 < saik0> Or modify routes 10:38 < saik0> So its seup ahead of time by the host OS 10:38 <@krzee> gotchya 10:39 < saik0> So once it goes down, there no coming back up (correctly) 10:39 <@krzee> witrh --user and --group it wont even be able to take tun down 10:40 < saik0> Both set to nobody o_O 13:40 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:07 < encore> !welcome 14:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:41 -!- DrCode_ is now known as DrCode 17:41 -!- netwoodle is now known as noodle 17:41 -!- sweatsuit_ is now known as sweatsuit 17:52 -!- batrick is now known as Guest93626 19:28 -!- lkjahsdkfj is now known as uiyice 20:22 < tpanarch1st> hello, I am in the process of creating some new certs, please could I ask, does the following look correct http://snag.gy/rPRbm.jpg - thanks 21:02 <@ecrist> sure 21:03 < tpanarch1st> hello ecrist just a bit scared - i dont want to lock myself out :) 21:03 < tpanarch1st> what im not sure on is i have all my certs names but they are not appearing as the names i gave them? 21:03 < tpanarch1st> given all* 21:14 <@ecrist> tpanarch1st: the file name doesn't matter 21:14 <@ecrist> the openvpn server doesn't need to know about the other certificates 21:14 <@ecrist> it just follows the certificate chain 21:15 < tpanarch1st> ah ok, i need to essentially get rid of the old certificates that worked and create new ones 21:15 <@ecrist> why? 21:16 < tpanarch1st> i ran clean-all but i dont know if that got rid of them - it just told me that if i run it it will rm -rf the stuff 21:17 < tpanarch1st> ecrist: oh my friend said it would be wise to do so as in my naivety i emailed myself a file containing my server key 21:17 < tpanarch1st> im just a bit lost in the process 21:29 <@ecrist> the clean-all is sufficient 21:30 <@ecrist> it is wise to leave SSH open to the internet on your VPN server, or to somehow have physical access to it 21:30 <@ecrist> I recomment key-based authentication via SSH 21:35 < tpanarch1st> ecrist: have you ever seen openwrt/luci before :) 21:35 < tpanarch1st> and thank you so much for your time btw 21:36 < tpanarch1st> biting my nails like mad! 21:38 <@ecrist> I've seen openwrt, yes 21:38 <@ecrist> not sure what luci is 21:41 < tpanarch1st> oh thats the GUI ecrist 21:42 < tpanarch1st> well currently, i have ticked, allow the root user to login with password and allow ssh password authentication 21:42 < tpanarch1st> I don't know whether to tick "allow remote hosts to connect to local SSH forwarded ports" 21:42 < tpanarch1st> that is in the same group as the other two 21:43 <@ecrist> no 21:43 < tpanarch1st> ah thats good :) 21:44 < tpanarch1st> ecrist: how do I know which one I have created for my client laptop? I had deliberately named it but I didn't realise that the names would not be obvious in the directory :) 21:45 < tpanarch1st> the irony is, i still seem to be connected to the vpn unless you can actually remove certs and stay connected? 21:49 <@ecrist> the certificates and keys are read when the vpn starts 21:50 <@ecrist> the only thing that is re-read on each connection is the CRL 21:50 <@ecrist> You can use the following command to read the certificate details: openvpn x509 -noout -text -in client*.crt 21:51 < tpanarch1st> ecrist: so this would be on my router where ive installed the vpn? 21:51 < tpanarch1st> Options error: I'm trying to parse "x509" as an --option parameter but I don't see a leading '--' 21:51 < tpanarch1st> Use --help for more information. 21:51 < tpanarch1st> root@OpenWrt:/etc/openvpn# 21:53 <@ecrist> sorry 21:53 <@ecrist> openssl x509 -noout -text -in client*.crt 21:53 <@ecrist> you run that in the dir where you posted the image earlier 21:53 < tpanarch1st> oh its not problem im just truly grateful for your time 21:54 < tpanarch1st> no* 21:54 < tpanarch1st> Error opening Certificate client*.crt 21:54 < tpanarch1st> 2009580616:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('client*.crt','r') 21:54 < tpanarch1st> 2009580616:error:20074002:lib(32):func(116):reason(2):NA:0: 21:54 < tpanarch1st> unable to load certificate 21:54 < tpanarch1st> root@OpenWrt:/etc/openvpn# 21:55 <@ecrist> so run it for each clientX.crt in that dir 21:55 <@ecrist> openssl x509 -noout -text -in client1.crt 21:55 <@ecrist> etc 21:57 < tpanarch1st> ecrist: so there is two 21:57 < tpanarch1st> the correct one displays when i do server.crt 21:58 < tpanarch1st> of course using your command 21:59 < tpanarch1st> so presumably i need to revoke one of them somehow? 21:59 <@ecrist> so, that is the server certificate 21:59 <@ecrist> You shouldn't have multiple certificates with the same CN (common name) 22:01 < tpanarch1st> ca.crt is my old one 22:01 <@ecrist> So, my recommendation is this 22:02 <@ecrist> * create a CA with a CN such as tpanarch1st's VPN CA 22:02 < tpanarch1st> thats what i have done :) 22:02 <@ecrist> * create a server certificate (signed by your new CA) with a CN such as tpanarch1st's VPN server 22:03 < tpanarch1st> ive tried to do that and i think that is done to 22:03 <@ecrist> * create client certificates named for each user or use (tpanarch1st, microwave, rpi, etc) 22:04 <@ecrist> so there is no issue 22:04 <@ecrist> :) 22:04 < tpanarch1st> hehe will need to do a few more 22:04 < tpanarch1st> sure 22:04 < tpanarch1st> im just confused 22:04 < tpanarch1st> because there is still an old one existing 22:04 < tpanarch1st> i dont think you just delete it do you? 22:05 <@ecrist> no old ones, if you look at your jpg you posted, all the timestamps on the file are in line with eachother 22:05 <@ecrist> you can also use openssl x509 -verify (read man page for other options) to see how the chain works 22:09 < tpanarch1st> ecrist: sorry i did the list in the wrong shooting folder 22:09 < tpanarch1st> so sorry 22:09 < tpanarch1st> http://snag.gy/kSwVh.jpg 22:09 < tpanarch1st> this is what was confusing me 22:09 < tpanarch1st> so you can now see old and new 22:24 < tpanarch1st> ecrist: i guess i need to remove the old ones somehow? 22:31 <@ecrist> You need to do something like that, yes 22:32 < tpanarch1st> but not just delete them? 22:39 <@ecrist> tpanarch1st: openvpn reads the files once, upon startup 22:39 <@ecrist> except the CRL 22:39 <@ecrist> it never reads the client certificate files 22:39 <@ecrist> or their keys 22:40 <@ecrist> so, if you have all new certs and keys, you can delete everything that isn't within that chain 22:42 < tpanarch1st> ah do you not have to properly "revoke anything" ecrist --- Day changed Wed Feb 17 2016 00:27 < tpanarch1st> thanks for your time ecrist not managed to sort things out but heyho :) 01:04 < hiya> ecrist, plaisthos I would like to know, how can I make PAM auth match the certificate's name and then only allow connection? 01:05 < hiya> For example if it is connection for hiya.crt the username has to be hiya only and then only it should connect else disconnect 01:06 < hiya> the problem is I can use hiya.crt and connect using anyone's user/pass for explain I can connect as hiya.crt with password "wife12" bearing username wife 01:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 01:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:58 -!- mode/#openvpn [+o mattock] by ChanServ 02:04 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 02:04 -!- mode/#openvpn [+o mattock_] by ChanServ 03:34 -!- dazo_afk is now known as dazo 03:56 -!- Netsplit *.net <-> *.split quits: +s7r, @plaisthos, +RBecker 03:56 -!- Netsplit over, joins: plaisthos 03:56 -!- mode/#openvpn [+o plaisthos] by ChanServ 03:57 -!- Netsplit over, joins: RBecker 03:57 -!- mode/#openvpn [+v RBecker] by ChanServ 03:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 03:59 -!- mode/#openvpn [+v s7r] by ChanServ 04:07 -!- Netsplit *.net <-> *.split quits: +s7r, @plaisthos 04:07 -!- Netsplit over, joins: s7r 04:07 -!- mode/#openvpn [+v s7r] by ChanServ 04:07 -!- Netsplit over, joins: plaisthos 04:07 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:53 -!- Netsplit *.net <-> *.split quits: +hazardous 04:54 -!- Netsplit over, joins: hazardous 04:54 -!- mode/#openvpn [+v hazardous] by ChanServ 05:08 -!- Netsplit *.net <-> *.split quits: +hazardous, @dazo, @plaisthos, @syzzer 05:08 -!- Netsplit over, joins: plaisthos 05:08 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:08 -!- Netsplit over, joins: hazardous 05:08 -!- mode/#openvpn [+v hazardous] by ChanServ 05:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:10 -!- mode/#openvpn [+o syzzer] by ChanServ 05:14 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 05:14 -!- mode/#openvpn [+o dazo] by ChanServ 05:54 -!- Netsplit *.net <-> *.split quits: @mattock_ 05:55 -!- Netsplit over, joins: mattock_ 05:55 -!- mode/#openvpn [+o mattock_] by ChanServ --- Log closed Wed Feb 17 06:03:20 2016 --- Log opened Wed Feb 17 07:15:55 2016 07:15 -!- Irssi: #openvpn: Total of 198 nicks [4 ops, 0 halfops, 3 voices, 191 normal] 07:15 -!- mode/#openvpn [+o ecrist] by ChanServ 07:15 -!- Irssi: Join to #openvpn was synced in 1 secs 07:16 <@ecrist> hiya: did you get your question answered? 07:16 <@ecrist> I got disconnected 07:25 -!- batrick_ is now known as batrick 07:25 -!- batrick is now known as Guest22695 08:19 < hiya> the problem is I can use hiya.crt and connect using anyone's user/pass for explain I can connect as hiya.crt with password "wife12" bearing username wife 08:19 < hiya> ecrist, I did not get the reply 08:19 < hiya> :( 08:26 <@dazo> hiya: there are no coupling between username/passwords and the certificates ... you need a plugin/script-hook for doing that ... Which is one of many reasons I wrote eurephia 08:26 <@dazo> !eurephia 08:31 < hiya> !eurephia 08:31 < hiya> :) 08:32 < hiya> http://www.eurephia.net/ 08:32 < hiya> dazo, ^ 08:32 < hiya> is this the one? 08:35 <@dazo> hiya: yes 08:37 < hiya> it is too complicated :P 08:37 < hiya> but I am trying to learn 08:39 <@plaisthos> hiya: perhaps you should then stick to user/pass _or_ certificates 08:39 <@plaisthos> and not trying make a mix of both work 08:40 < hiya> dazo, user certificate file has to be .pem? or .key would do? or is it .crt? 08:40 < hiya> plaisthos, I have both it works but one can login with any user/pass yet would be identified as certificate name only 08:40 < hiya> :) 08:42 <@dazo> hiya: user certificate filenames does not matter ... what matters is the contents of the file .... PEM formatted cert files (the most commonly used with openvpn) contains "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 08:44 < hiya> dazo, I use easy-rsa and I only see a user.crt user.key 08:44 <@dazo> cat user.crt 08:44 <@dazo> cat user.key 08:45 < hiya> dazo, I have another problem, I gen all the certs on a local computer and then scp them to the server 08:45 < hiya> do you think it is relevant to this plugin? 08:46 <@plaisthos> hiya: normally there no reason to use certificates *and* username/password 08:49 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 08:51 -!- shootbird is now known as KavanS 08:51 -!- KavanS is now known as shootbird 08:52 < hiya> plaisthos, I use it as an additional method to prevent access without revoking the certs but I have come up with another method as well to drop all the connections for that particular Private IP on OpenVPN Server, since a user's identity is attached with a private IP 08:52 < hiya> I do not log anything hence it is the only way 08:52 -!- batrick_ is now known as batrick 08:53 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 08:53 -!- mode/#openvpn [+o dazo] by ChanServ 08:55 < hiya> dazo, is there any easy to use guide? 08:55 <@dazo> hiya: !? 09:00 <@plaisthos> hiya: watt?! 09:00 <@plaisthos> that makes no sense 09:00 < hiya> which part? 09:03 <@plaisthos> all of it 09:03 <@plaisthos> user username/password to revoke a certificate 09:03 < hiya> where did i say so? 09:05 <@plaisthos> "I use it as an additional method to prevent access without revoking the certs" 09:06 < hiya> plaisthos, see if I just provided you with certs as auth mode, I would have to revoke your certs to prevent you from accessing openvpn server 09:06 < hiya> and updare the crl 09:06 < hiya> So I use addition PAM auth 09:07 < hiya> I just have to delete your user account or change your pass to keep you on hold 09:07 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 09:07 <@plaisthos> you still mixing authentication and authorisation 09:08 <@plaisthos> hiya: see --disable 09:08 < hiya> plaisthos, but the output is same? 09:08 < hiya> oh 09:08 < hiya> ? 09:08 < hiya> Wait 09:09 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:09 -!- mode/#openvpn [+o dazo] by ChanServ 09:10 < hiya> plaisthos, the manual itself is recommending not to use it but use CRL 09:11 <@plaisthos> you use crl, when a certificate has been compromised 09:11 < hiya> plaisthos, for the option you suggestion I would have to restart openvpn server everytime to append the client list unlike in the method I recommend (PAM auth) 09:12 <@plaisthos> hiya: read the man page .... 09:12 <@plaisthos> the --disable option even tells you how to use it 09:13 < hiya> I do not use either of those 09:14 <@dazo> hiya: with --ccd you do not have to restart the server ... you only add 'disabled' into the proper CCD file, and next time the client connects, it will be rejected 09:14 <@plaisthos> crl <-> certificate compromoised, --disabled, user autehnticated but not authorised 09:16 < hiya> dazo, i need to learn your plugin 09:16 < hiya> its best solution 09:23 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 09:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:32 -!- mode/#openvpn [+o dazo] by ChanServ 09:41 < hiya> !ccd 09:41 < hiya> plaisthos, So in order to setup ccd I just have to set a directory in server.conf and then create a file with common name of the cert? 09:41 < hiya> in that directory? 09:42 < hiya> and then input client specific stuff there? 09:44 <@plaisthos> !ccd 09:44 <@plaisthos> hm 09:46 < hiya> plaisthos, --client-config-dir usernames 09:46 < hiya> cd usernames 09:46 < hiya> nano BLOCKEDUSER 09:46 < hiya> disable 09:46 < hiya> save 09:46 < hiya> done? 09:46 < hiya> wow 09:46 < hiya> :) 09:53 <@plaisthos> yes 09:55 < hiya> plaisthos, Do you think I should implement http://www.eurephia.net/ ? 09:55 < xdexter> I am a customer of a VPN to connect to the server he can access all my right services? That this case is controlled by the firewall on my server, correct? 09:57 <@plaisthos> yes 09:57 <@plaisthos> hiya: my crystall ball is out of service 09:57 <@plaisthos> I have no idea of your requirements 09:58 <@plaisthos> you have to decide that for yourself 09:58 < hiya> ok 10:36 < hiya> plaisthos, how do I create a new group/user for openVPN with least privileges 10:37 < hiya> I know about user 10:42 <@plaisthos> hiya: use google 10:45 < hiya> I did but I seek help with openvpn specifically 10:46 <@plaisthos> hiya: lot of your question are phrased in way that no reasearch or try to it on own 10:47 <@plaisthos> I don't like spoonfeeding answers to people 10:53 < hiya> plaisthos, ok, I get it 10:55 < opticvision> !welcome 11:07 < gravspeed> hey guys 11:08 < gravspeed> i'm having an issue with a client/server setup under vyatta (ubiquiti edgerouters) 11:08 < gravspeed> server side looks fine, i show the client cn, ip and tunnel ip, but the client side does not show the server cn or tunnel ip and i cannot reach the server side 11:09 < gravspeed> i was able to set up a site to site fine, but the client server model seems better since i am going to have 14 endpoints, some with dynamic ips 11:11 < Eugene> !logs 11:12 < Eugene> !log 11:12 < Eugene> Useless bot, not even here 11:15 < gravspeed> which logs do you want to see? 11:24 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 11:25 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 11:25 -!- mode/#openvpn [+o dazo] by ChanServ 11:25 < Eugene> The client's log of the connection 11:37 < gravspeed> these lines look rather relevant 11:38 < gravspeed> hold on, clipboard sharing just broke... 11:39 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 11:39 < gravspeed> ok, so i'[ll paraphrase while i figure out what just happened to my synergy. 11:42 < gravspeed> linux route add command failed... error status 2 11:42 < Eugene> Are you running openvpn as something other than root? 11:43 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 11:43 -!- mode/#openvpn [+o dazo] by ChanServ 11:44 < gravspeed> it's an ubiquiti edgerouter 11:45 < gravspeed> ps -aux | grep openvpn... running as root 11:46 < Eugene> So probably not permissions, a different route failure then. Conflicting with existing subnets? 11:47 < gravspeed> looking at the output of route, it did acutally add the route it was supposed to 11:47 < gravspeed> no subnet conflict 11:47 < Eugene> Well, something's failing. Pastebin your whole client and server log 11:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 11:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 11:49 -!- mode/#openvpn [+o syzzer] by ChanServ 11:58 < gravspeed> ok, so there's some progress... looking at those logs i found a line about the lzo decompression, i disbaled it on both sides and now i can ping across the tunnel from the router, but not from a clinet behind it.... 12:23 < gravspeed> ok... so new issue... the tunnel is up, the client router can ping devices behind the server router, but a client behind the client router cannot ping the server router or devices behind it. 12:36 < gravspeed> oh how i wish i could ever get time to focus on one thing.... 12:36 < gravspeed> so it looks like the server router does not have a route to the client routers internal subnet... 12:36 < gravspeed> that would definatly be an issue. 12:37 < gravspeed> should i have a --push route option for the client network too? 12:47 < Neighbour> put an iroute in the ccd in order to get the routing from server lan to client lan working 12:47 < Neighbour> and a push route with the server lan in the ccd for the routing from the client lan to the server lan 12:48 < Neighbour> also make sure that the default gateway of the client lan has a route for the server lan network pointing to the openvpn server (if these are not the same machines) 12:50 < gravspeed> the routers are running the openvpn, i have a push route on the server router for the subnet on that side. i tried adding a push route to the client side but that didn't help... 12:51 < gravspeed> the client router can ping anything on the server router side, but the clients behind the client router cannot. 12:51 < gravspeed> show ip route on the client side has the correct entries, but on the server side does not show the client subnet. 12:55 < gravspeed> so i want to add something like openvpn-option "--iroute 192.168.3.0 255.255.255.0" 12:58 < gravspeed> that's definatly wrong... ...failed to start openvpn tunnel... commit failed 12:58 < gravspeed> show log says iroute cannot be used in this context 13:02 < gravspeed> and somehow trying to add that broke it more... 15:29 < lycosta> Hey! 15:29 < cwage> can anyone give me a hint what "bad source address from client [::], packet dropped" in an openvpn server log typically indicates? 15:32 < lycosta> haven't encountered that before 15:32 < lycosta> I'm actually having trouble connecting to the internet once connected to the vpn 15:41 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 244 seconds] 15:43 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 15:43 -!- mode/#openvpn [+v hazardous] by ChanServ 16:27 < cwage> i enabled duplicate-cn and when clients connect from another machine we get TONS of this sort of thing: MULTI: bad source address from client [10.8.2.5], packet dropped 16:27 < cwage> is that normal? 16:27 < cwage> does duplicate-cn play nice with udp? 16:27 < cwage> wondering if because udp is stateless the two diff. sessions get confused if they are coming from the same network or something 16:45 < Eugene> Stateless connection, but the UDP streams are from a consistent source port on the client 16:46 < Eugene> And yes, it works fine with UDP 17:23 < gravspeed> ok, i'm back.... so from my client router i can reach devices behind the server router, but clients behind the client router cannot 17:23 < gravspeed> i think this is because the server router does not have a route to the inside network on the client router. 17:24 < gravspeed> Neighbour said that i needed to add an iroute, how do i do that? i can't find an example for doing that in vyatta 17:24 < gravspeed> i was thinking that it would be an openvpn-option line, but when i tried to add that it would not commit 18:10 < ljvb> there a way to suppress bad source message in the logs (I know what causes, I don't need to advertise the networrk causing it.. hotel network) 18:17 < ljvb> fine.. guess I'll add the network just to shut the logs up 18:17 < ljvb> heh 18:34 < gravspeed> ok, so i was able to make my vpn connect both ways by adding a static route 18:34 < gravspeed> to the server side, pointing the client subnet at the tunnel ip... 18:35 < gravspeed> i found where the iroute was added, it is created by adding the subnet line to the vtun0 server client site1 18:36 < gravspeed> it then appears in the /var/run/openvpn/ccd/vtun0/site1 18:38 < gravspeed> if i remove the iroute, it does not work, if i remove the static route, it does not work... 18:39 < gravspeed> are both necessary? or am i doing something wrong? 22:56 < Neighbour> gravspeed: you need both the kernel routing table entry and the iroute entry --- Day changed Thu Feb 18 2016 00:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection] 00:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 00:48 -!- mode/#openvpn [+v s7r] by ChanServ 02:53 < c|oneman> hi, I'd like to setup a machine that connects to an openvpn remote serve as a client, and then exposes itself as a default gateway that computers on the lan can use 02:54 < c|oneman> I guess I have to do this 02:54 < c|oneman> http://linuxpoison.blogspot.ca/2009/02/how-to-configure-linux-as-internet.html 03:10 < wsky> why does my windows shows openvpn connection as 10mbit/s 03:10 < wsky> can it only do just 10 mbit? 03:11 < c|oneman> probably not 03:20 < BtbN> How do i tell the openvpn client to add a route to the server, so a new default route doesn't create an infinite loop? 03:20 < heatheriac> I'm usually good at this stuff, but so confused I don't know where to start. Want to set up a VPN on only one machine on my network (192.168.0.102) using PIA's VPN. But I want to still be able to access ports from inside my home network (i.e. VNC or web services on 102 originating from 192.168.0.100) ... Can I get a pointer towards a how to primer to start? 03:21 < BtbN> redirect-gateway does that for IPv4, but i can't find anything like it for IPv6. 03:22 <@plaisthos> BtbN: coming with 2.4 03:22 <@plaisthos> already included in master 03:22 < BtbN> hm 03:23 < BtbN> Is there a release schedule, or just when it's done? 03:23 <@plaisthos> BtbN: when it is done 03:23 < BtbN> Also, what's the directive for it? Just redirect-gateway-ipv6? 03:23 <@plaisthos> hopefully this year 03:24 <@plaisthos> redirect-gateway will also handle the ipv6 case automatically 03:24 < BtbN> Putting the linux servers and clients on a git build wouldn't be the problem, but all the windows clients... 03:24 <@plaisthos> redirect-gateway ipv6 will also redirect ipv6 traffic to the vpn 03:25 < BtbN> I guess I can emulate it for the servers which have a static IP, but not for the home router where it changes every day 03:25 <@plaisthos> BtbN: clients announce that they can that to the server by sending IV_RGI6 03:25 <@plaisthos> BtbN: are you connecting over ipv6? 03:26 < BtbN> I connect per dns domain, which has both IPs configured. So it prefers IPv6 whenever available 03:26 <@plaisthos> in 2.3 you have to explicitly say udp6 or tcp6 to connect via IPv6 03:26 < BtbN> hm 03:27 < BtbN> That might solve the Problem for now, but not the optimal solution 03:27 <@plaisthos> in 2.4 it automatically uses ipv6/ipv4 03:27 <@plaisthos> :D 04:32 < mator> what format tls.key should be for openvpn for android? 04:33 < c|oneman> I used this one mator https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn 04:33 < c|oneman> I dont remember why, but it worked 04:35 < mator> thanks 04:35 < mator> but i trying to use "openvpn for android" 04:35 < mator> i have 04:35 < mator> in the begining of tls.txt file and key inside , but it doesnt accept this file 04:48 <@plaisthos> mator: same format as for other clients 04:48 <@plaisthos> mator: does not accept, do you have an error message? 05:51 < mator> plaisthos, no error message, just generated config shows: 05:51 < mator> tls-auth missing 05:51 < mator> and ofcourse there's error message if i try to connect: 05:52 < mator> options error: --tls-auth fails with 'missing' 05:52 < mator> (no such file or directory) 05:58 < mator> do i need to convert tls.key to p12 ? 05:58 < mator> is it even possible? 05:58 <@plaisthos> mator: when you import the config file it should tell you that it cannot find the tls-auth file and give a select button to select it 05:59 <@plaisthos> or you can select the tls.key later in the profile 05:59 <@plaisthos> if you send me the profile I can also look into it if there is a bug 06:01 < mator> i'm going to try to export current profile, edit it with hands (adding tls-auth) and import back 06:02 < mator> will report back in a few minutes 06:03 <@plaisthos> mator: it should work with the original profile 06:05 < mator> import log: 06:05 < mator> inporting config file from source file:///storage/emulated/0/Download/openvpn.conf 06:05 < mator> could not read Profile to import 06:07 < mator> how do i export vpn profile? 06:07 < mator> i used share button to send text message to my inbox 06:07 < mator> saved text as openvpn.conf, and it can't import now... 06:09 <@plaisthos> mator: how are you importing? 06:10 <@plaisthos> from a file explorer or directly from the app? 06:12 <@plaisthos> Android 6.0 + some app like ES file explorer? 06:21 < mator> plaisthos, from within the app 06:21 <@plaisthos> Android 6.0? 06:22 < mator> using most right icon with down arrow 06:22 < mator> plaisthos, yes 06:22 < mator> that is why i'm reinstalling openvpn, it was working before 06:22 < mator> ( on 5.1) 06:22 <@plaisthos> mator: do you get the fancy android file chooser or the ugly one? 06:22 <@plaisthos> mator: that is a bug in the app probably 06:22 <@plaisthos> with android 6.0 new permission model 06:22 < mator> fancy one, with downloads, drive, explorer , and so on 06:23 <@plaisthos> oh okay 06:23 <@plaisthos> device? 06:23 <@plaisthos> samsung somthing? 06:23 < mator> samsung galaxy nexus (2011) 06:23 <@plaisthos> oh custom rom then? 06:23 < mator> cyanogenmod 06:23 <@plaisthos> yepp 06:23 <@plaisthos> okay at least es file explorer is doing something wrong 06:24 < mator> http://forum.xda-developers.com/galaxy-nexus/development/rom-cyanogenmod-13-0-02-11-t3312784 06:24 <@plaisthos> but on Android AOSP I usually got a content:/// url and not a file:// url on import 06:24 < mator> plaisthos, is there any other way to import config ? 06:25 < mator> brb, off for 10 minutes, exam session... 06:26 <@plaisthos> mator: give me a few minutes 06:26 < jrvqq> Hello Im facing problem with openvpn connection. Basically I cannot connect to the vpn through workstations but the vpn work between server and wlan witch is rasbperryPi. Does anyone know what would cause this problem 06:31 < jrvqq> we can ping to rasb vpn but we cannot go all the way to server through vpn 06:34 -!- krzee [4465bf6b@openvpn/community/support/krzee] has joined #openvpn 06:34 -!- mode/#openvpn [+o krzee] by ChanServ 06:34 < jgjorgji> ever since i added an option to push a dns server it seems broken, i had a point to point topoogy where all hosts could talk to each other 06:35 < jgjorgji> now they can't even reach the serve and i'm getting this error on only one host 06:35 <@krzee> what error 06:35 < jgjorgji> WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn) 06:36 <@krzee> looks like you changed more than you think 06:36 < jgjorgji> it was working fine with the exact same config (without the push dhcp-options line) for months 06:36 <@krzee> !configs 06:36 < jgjorgji> now it's broken even if i remove the line 06:36 <@krzee> whoa bots down 06:36 < jgjorgji> and the warning appears on only one host 06:44 < jgjorgji> are multiple push options allowed? 06:44 <@plaisthos> yes 06:45 < jgjorgji> does ordering matter? 06:45 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 06:45 -!- mode/#openvpn [+o vpnHelper] by ChanServ 06:46 <@plaisthos> normally not 06:46 <@plaisthos> only for options that overwrite previous values of other values 06:46 <@krzee> !ping 06:46 <@vpnHelper> pong 06:46 <@plaisthos> !ping 06:46 <@vpnHelper> pong 06:46 <@plaisthos> :) 06:46 <@plaisthos> nice feature :P 06:46 <@krzee> !configs 06:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 06:47 <@krzee> plaisthos: =] 06:47 <@plaisthos> !learn ping as "plaisthos tries to break the bot" 06:47 <@vpnHelper> Joo got it. 06:47 <@plaisthos> !ping 06:47 <@vpnHelper> pong 06:47 < skyroveRR> !ping 06:47 <@krzee> haha 06:47 <@vpnHelper> pong 06:48 <@krzee> !forget ping 06:48 <@vpnHelper> Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 06:48 <@krzee> !forget ping * 06:48 <@vpnHelper> Joo got it. 06:48 <@krzee> !ping 06:48 <@vpnHelper> pong 06:48 <@plaisthos> there are two? :) 06:48 <@plaisthos> maybe I wasn't the first to try that 06:48 <@krzee> i guess you werent first lol 06:49 <@krzee> whats pretty cool is i wasnt root on vpnHelper's new box until 2 days ago 06:49 <@krzee> just in time to restart him today :D 06:52 < jgjorgji> hmm reverting to an earlier config helped i'll see if it breaks the same way later 06:53 <@plaisthos> mator: Can you try this version? 06:53 <@plaisthos> http://plai.de/android/ics-openvpn-0.6.48pre.apk 06:55 < mator> sek 06:56 <@plaisthos> I still confused why you getting the fancy dialog and then end up with a file:// url 06:57 <@plaisthos> But since I need the fix for broken file managers like ES File Explorer anyway .... 07:02 < mator> plaisthos, http://i.imgur.com/NYil7M0.png 07:02 <@plaisthos> did you get a file permission request dialog? 07:03 < mator> yes 07:03 < mator> going to try once again 07:04 < mator> it's now without asking permissions for accessing files, (probably saved it already), but same error 07:04 <@krzee> hah you on 0.6.48pre? whats it take for you to get to 1.0? 07:04 <@krzee> :D 07:05 < mator> krzee, android 60 ? :) 07:05 <@plaisthos> krzee: hey, I already have 48 0.6.x releases :P 07:05 <@krzee> :D 07:05 <@plaisthos> maybe I should drop the 0.6 part :) 07:06 <@plaisthos> or move randomly to 0.7.x when 2.4 is released 07:06 <@plaisthos> to signify that nothing changes in OpenVPN for Android 07:06 <@krzee> googles gunna be like "hey guys, whats a candy starting with x"? 07:07 <@plaisthos> q is also difficult 07:07 <@plaisthos> and only 4 years away ;) 07:08 < mator> ok, just checked apps, it is "storage" access is allowed for "openvpn for android" 07:08 < mator> and i have selinux is in permissive state for this ROM 07:08 < mator> do you need logcat ? 07:09 <@plaisthos> mator: yeah there seem to some strange bug that the permission is only granted after restarting the app 07:09 <@plaisthos> I thought that to be an emulator bug 07:09 <@plaisthos> but it seems not to be the case 07:09 <@plaisthos> can you just kill the app and try again? 07:09 < mator> how do i get/filter logcat only for "openvpn for android" 07:09 < mator> sek 07:10 < hiya> yo man 07:11 < hiya> plaisthos, is there any other way a client can try to connect with another client in openVPN even if we dropped traffic using iptables btw em? 07:11 < mator> plaisthos, ahh yes, killing and running it again helped 07:11 < mator> let me check my configuration now... 07:11 <@plaisthos> mator: I have to look into that bug .... 07:12 < hiya> I am doing advance level of auth for OpenVPN now :) it rocks! 07:17 < mator> plaisthos, works... but i need to remake configuration file, to remove my cert.key password... probably openssl task 07:20 < mator> yeah, fully works now... 07:20 < mator> plaisthos, shoot me a private message /msg if you will need to test it again with a newer build 07:20 < mator> thanks again 07:22 <@plaisthos> mator: that issue is strange ... 07:22 <@plaisthos> my other emulator works fine ... 07:22 <@plaisthos> No idea 07:25 <@ecrist> morning 07:28 <@krzee> morning 07:29 <@ecrist> it was you 07:29 <@krzee> o.O 07:29 <@ecrist> vpnHelper 07:29 * krzee hides 07:29 -!- Irssi: #openvpn: Total of 220 nicks [7 ops, 0 halfops, 3 voices, 210 normal] 07:29 <@krzee> haha ya i restarted him 07:29 <@krzee> he was hiding from freenode 07:30 <@ecrist> naw, the server it was connected to went offline 07:30 <@ecrist> he's normally tab 1 in my screen session 07:30 <@ecrist> now he's not 07:30 <@krzee> ohh 07:30 * mator reads as - now he's hot 07:30 <@krzee> lol you watch his debug? 07:30 <@ecrist> yes 07:31 * krzee starts messaging vpnHelper dirty things 07:31 <@ecrist> ERROR 2016-02-17T06:06:26 Unhandled error message from server: IrcMsg(prefix="asimov.freenode.net", command="401", args=('vpnHelper', 'NickServ', 'No such nick/channel')) 07:31 <@ecrist> INFO 2016-02-17T06:06:27 Holding JOIN to #OpenVPN-forum until identified. 07:31 < mator> love him 07:32 < mator> just some care 07:32 < mator> and he will come 07:32 <@krzee> well 07:32 <@krzee> care or kill + restart 07:32 <@ecrist> heh 07:33 <@krzee> but ya thats good to know, i guess next time ill msg you instead of restarting him myself? 07:33 <@krzee> ...or should i just do what i did? 07:40 < j4s0n> !welcome 07:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:42 < j4s0n> !route 07:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 07:42 < j4s0n> !tcpip 07:42 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 07:43 < j4s0n> !redirect 07:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 07:43 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:43 <@krzee> !factoids 07:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:44 < mator> vpnHelper, !android 07:45 <@ecrist> krzee: doesn't really matter 07:45 <@krzee> cool 07:49 <@plaisthos> !android 07:49 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android or (#3) Old (pre-ICS) device? See !android-old 09:19 < nrky> Hello, I am connected to a VPN but I have no idea how to redirect specific applications to use it, am I missing something obvious because I can't find much info on the web about redirecting irc to the VPN for example. 09:23 <@plaisthos> !app 09:23 <@plaisthos> !app-specific 09:23 <@plaisthos> hm ... 09:23 <@plaisthos> !route-by-app 09:23 <@plaisthos> there was something like that .... 09:24 <@plaisthos> googling for openvpn application specific seems to have some results however 09:24 <@plaisthos> !policy-routing 09:25 < nrky> Ah, okay, I see that it added the route to the VPN provider and the proper device and address. 09:25 < nrky> Sorry about that, it was working for all traffic all along. 10:34 <@krzee> !ping 10:34 <@vpnHelper> pong 10:34 <@krzee> !route-by-app 10:35 <@krzee> !factoids search app 10:35 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 10:35 <@vpnHelper> policies you set. For Linux, read about !lartc 12:28 < nilekada> !welcome 12:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:28 < nilekada> !howto 12:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:39 < nilekada> Hello guys. I have a mobile broadband connection on my computer that I'm sharing with my phone via WiFi Hotspot. WhatsApp and Facebook are blocked on said phone via the current network I'm using. I'd like to use OpenVPN to circumvent that restriction. What type of setup should I pursue? 12:40 < nilekada> The phone I'm using is a Nokia, running Symbian OS. As such, none of the Google Play apps for private browsing would work 12:40 < nilekada> OS I'm running is Fedora 23. 12:51 < Eugene> !redirect 12:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:51 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 12:51 < Eugene> You'll also need to either NAT or Route the wifi network coming off your laptop 12:52 < nilekada> Eugene thanks for your reply. However I only have my laptop and phone. No spare bit of hardware to spin off as a server. 12:52 < nilekada> Would the described scenario still work? 12:53 < Eugene> So you just need the phone to join+use the wifi network from the laptop? 12:54 < Eugene> (It's not clear if it's your Cell network that's being worked-around, or the Mobile Broadband on the laptop) 12:54 < nilekada> Yes. However the mobile broadband provider I'm using happens to be blocking WhatsApp traffic. 12:55 < nilekada> Mobile Broadband on the laptop 12:55 < Eugene> Gotcha. 12:55 < Eugene> So you need a VPN server on a non-encumbered network. A cheap VPS works well for this 12:56 < nilekada> Hmmm...thank you 12:57 < nilekada> No money at the moment for that I'm afraid though 12:58 < Eugene> AWS has a good Free Tier offer ;-) 12:59 < nilekada> I honestly had my heart fingers crossed for that. Will check out AWS right now. Thanks 12:59 < nilekada> :) 13:00 < Eugene> You get what you pay for, etc. 13:07 < tpanarch1st> good Evening :-) I'm having difficulties revoking a key using OpenWRT, I think the syntax may be different, I have followed the commands suggested on the web :-) 13:09 < dupondje> Hi. Setting up a new VPN server for remote users so they can connect to our network. Now everything works fine, except that I have to push a route (/21) where the VPN server's IP is in. 13:09 < dupondje> now this breaks the connection with the VPN server... 13:10 < dupondje> Any idea how I can push the /21 route, but tell OpenVPN somehow 'but keep the route to my existing' :) 13:10 <@plaisthos> redirect-private 13:10 <@plaisthos> if you want no default route but connect from that network 13:15 < dupondje> allright, that seems to be fine! thx 13:25 < tpanarch1st> so I need to revoke the old keys or at least check they can't be used, i've googled this is the cleanall command good enough for this purpose please? 13:31 < Eugene> tpanarch1st - clean-all will DELETE everything; likely not what you want 13:32 < tpanarch1st> oh Eugene that sounds perfect then 13:32 < tpanarch1st> I mean, I wanted to set up a new CA, and new certs 13:32 < tpanarch1st> cos as I understand it that renders the old key useless 13:32 < tpanarch1st> but I was looking for a way to check my work 13:32 < tpanarch1st> make sure i've done it properly 13:32 < Eugene> Ahhh, then yup, that will do that for you. 13:32 < Eugene> Make sure that you change all of the certs/keys used in your server and client config 13:33 < tpanarch1st> oh wicked Eugene, so I have a number of old certs on the router - OpenVPN - one of which is currently stored on my laptop and still works 13:33 < Eugene> Just so you know there's no going back from rm 13:34 < tpanarch1st> does the fact that I can still connect to OpenVPN suggest that clean all didn't work, I mean it warned me that it would delete everything, I thought, ah, that warning was odd as I thought it had run 13:34 < tpanarch1st> or do you have to do the cleanall command and then follow the command after 13:35 < Eugene> cleanall deletes it in the easy-rsa management directory. It does not delete any copies of them that were made, including those referenced by your server conf 13:36 < tpanarch1st> oh Lordy, so where I do go from here to make sure the keys gone, by the sound of things, it sounds like it's still lurking around :) 13:36 < tpanarch1st> do I* 13:36 < Eugene> Look at your server.conf, see what its referencing for cert/ca/key options 13:36 < Eugene> Those files will need to be replaced with the newly-generated ones 13:37 < tpanarch1st> is server.conf a file that is likely to be on the router? 13:37 < tpanarch1st> I appreciate we talk about "servers" but presumably my router is the equivalent as that's where the VPN runs from 13:38 < Eugene> Your router is running the openvpn server, yes 13:39 < tpanarch1st> Eugene: is it possible my friend deleted that server config file - it's not in the /etc/openvpn directory 13:40 < Eugene> Various router OSes keep their configs in different places. Is there a management GUI for openvpn? 13:43 < tpanarch1st> Eugene: is this what I am looking for :-) (Thank you btw) http://snag.gy/pRcLD.jpg 13:43 < Eugene> Looks right. Not a format I've ever seen before. 13:43 < Eugene> What OS is this? 13:45 < tpanarch1st> Eugene: this is OpenWRT installed on the router 13:46 < Eugene> Ahhh, not one I've used in forever 13:46 < Eugene> Anyway, you'll need to delete/recreate those files 13:46 < tpanarch1st> Eugene: i'd suggest the starting point of this is i'm able to connect with the old cert installed on my "client" laptop 13:47 < tpanarch1st> i've creates a new cert and dh12 etc in the generate certs section here https://wiki.openwrt.org/inbox/vpn.howto 13:47 < tpanarch1st> created* 14:17 -!- Poster|w is now known as Poster 14:18 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 14:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:18 -!- mode/#openvpn [+v s7r] by ChanServ 14:20 -!- phreakocious_ is now known as phreakocious 14:23 < wz> hello, server centos6.7, client win10 14:23 < wz> !welcome 14:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 14:23 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:23 < wz> !howto 14:23 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:10 -!- krzee [4465bf6b@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:19 < onezuff> is it possible to bond two openvpn tun0+tun1 connections and increase the speed of the connection? im seeing mixed info online that it is possible and that it's impossible 15:40 < Eugene> Short answer: no 15:40 < Eugene> Medium answer: 15:40 < Eugene> !gigabit 15:40 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 15:41 < Eugene> Long answer: stop using the stupid tun-mtu etc options that just slow things down; the auto-negotiation is smarter than you 99% of the time. Bonding interfaces isn't really a thing except in L2 broadcast domains, which this isn't. You can do policy-routing/balancing if you're trying to get balancing going across two ISPs(with independent tunnels), but that's probably out of scope 15:43 < zoredache> I wonder if you could do a multi-link PPPoE over a pair of tap tunnels. 15:43 < zoredache> I bet with the write level of insanity, plus insane complexity, you could make something happen. 15:47 < Eugene> I'm sure of it. 16:02 < gnat_x> hi folks. i am trying to set up OpenVPN on a debian linux box that is already providing dhcp to the lan. 16:03 < gnat_x> i'm having trouble figuring out how i should configure the networking for that? 16:03 < gnat_x> is it better to set up a bridge? 16:04 < gnat_x> i'm looking for pointers and docs. happy to rtfm, if i can be pointed at the right fm. 16:09 < zoredache> You almost never want a bridge. Just come up with another subnet to give to your VPN network. 16:10 < gnat_x> okay. 16:16 < DArqueBishop> gnat_x: 16:16 < DArqueBishop> !howto 16:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:33 < gnat_x> so. to clarify, as long as i specify unclaimed space in my openvpn configs, i don't need to set up any specific interface, but i do need to set up some iptables rules? 16:33 < gnat_x> just making sure i'm understanding what i'm reading. 16:58 < Eugene> openvpn will set up a tun interface by itself when it starts up 16:58 < gnat_x> okay. that makes some sense. 16:58 < Eugene> If you have iptables rules that block by default you'll need to allow traffic 16:59 < gnat_x> right. figured there would be some rule massaging. 16:59 < gnat_x> but firewall rules i can change on the fly. 16:59 < Eugene> Yup. 16:59 < Eugene> Treat tun0 like you would eth1 and you should be good 17:00 < gnat_x> cool. and the only place i need to specify it is in server.conf right? (or specify things about it, ip, netmask etc) 17:00 < gnat_x> ? 17:00 < Eugene> That's the only place as far as openvpn is concerned, yup 17:01 < gnat_x> cool. 17:01 < Eugene> I have a paranoid firewall that checks source/destination addresses match interfaces 17:01 < gnat_x> i'm just making sure i'm groking all of this. 17:01 < gnat_x> i have a middling paranoid but moving in that direction. 17:55 < keith_talent> Hey all. Hoping someone here might be able to help me with a really strange problem. I've been trying to run openvpn manually with the client.conf file, and it always connects, but the majority of the time I can't ping any addresses, get 100% packet loss. 17:56 < keith_talent> It would be less confusing if it never worked, but the fact it sometimes works fine is making it stranger. Doing my head in 17:59 < gnat_x> keith_talent: and you can resolve the hostnames? or are you pinging ips? 18:01 < keith_talent> gnat_x: I have just been pinging google to check the connection. Openvpn seems to be connecting to the host without a problem (at least that's what it's saying), but I can't get any internet access after that 18:01 < gnat_x> keith_talent: what OS is your client? 18:01 < gnat_x> (don't want to give you linux commands if you are on windows) 18:02 < keith_talent> I am using Arch Linux, running Openvpn in the terminal 18:02 < gnat_x> cool. what does "ip route" tell you? 18:04 < keith_talent> When the vpn is connected? 18:08 < keith_talent> default via 192.168.1.254 dev wlp3s0 src 192.168.1.8 metric 302 18:08 < keith_talent> 192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.8 metric 302 18:09 < keith_talent> Sorry, that was with the vpn disconnected 18:09 < gnat_x> keith_talent: main thing to look for is that the default route ends up going through the vpn. 18:12 < keith_talent> I will try again in a moment, then come back. Since it's a fresh install of openvpn, running manually, should that mean that the problem is likely in my client.conf? 18:18 < keith_talent> gnat_x: 0.0.0.0/1 via 10.103.1.5 dev tun0 18:18 < keith_talent> default via 192.168.1.254 dev wlp3s0 src 192.168.1.8 metric 302 18:18 < keith_talent> 10.103.1.1 via 10.103.1.5 dev tun0 18:18 < keith_talent> 10.103.1.5 dev tun0 proto kernel scope link src 10.103.1.6 18:18 < keith_talent> 128.0.0.0/1 via 10.103.1.5 dev tun0 18:18 < keith_talent> 178.162.205.24 via 192.168.1.254 dev wlp3s0 18:18 < keith_talent> 192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.8 metric 302 18:18 < keith_talent> y 18:18 < keith_talent> gnat_x: That's ip route with the VPN connected 18:22 < gnat_x> okay. so it looks like your default route is still through 192.168.1.254 18:23 < keith_talent> Ahh ok. Should that be something that openvpn changes automatically? 18:23 < gnat_x> it should be. 18:24 < gnat_x> i'm not sure if there is a arch specific way of doing this, and i'm not remembering the syntax offhand; but 'ip route del default' 'ip route add default gw tun0' 18:24 < gnat_x> something like that. 18:24 < gnat_x> check the syntax, so you don't bork your network connection though. 18:25 < gnat_x> (nothing restarting the networking shouldn't be able to clear up, but still annoying) 18:25 < keith_talent> Ok cool. I am using networkmanager for wireless access, should I have the networkmanager-openvpn plugin for that to work, or is that not relevant if I am running the openvpn commands manually? 18:27 < gnat_x> keith_talent: that will help. 18:27 < gnat_x> keith_talent: as it is network manager that set the routes. 18:28 < keith_talent> Ok cool, I recently deleted all the vpn related programs to narrow down variables, so I will reinstall that now, cheers 18:29 < keith_talent> Thanks for a patience, PIA asked me to submit a ticket for support, but honestly I don't understand the issue enough to explain it to them :P 18:47 -!- NP-Harda1 is now known as NP-Hardass 20:55 < ljvb> anyone familiar with the openvpn config with th network manager in ubuntu 23:39 < Logicgate> Hey guys, got openvpn up and running on centos and I can connect via my iphone to the server 23:39 < Logicgate> Only problem is traffic is not being forwarded. 23:39 < Logicgate> I'm clearly missing a rule in my iptables 23:40 < Logicgate> May I paste my iptables in a pastebin and have y'all help? 23:59 -!- Logicgate is now known as Guest49508 --- Day changed Fri Feb 19 2016 00:03 < Logicgate> http://pastebin.com/j5afj8uA 00:03 < Logicgate> Here is my iptables config 02:45 < mator> plaisthos, i can't enable ipv6 to work with last build of openvpn for android, which you've provided me yesterday... http://fpaste.org/325541/14558712/ 06:16 < mator> plaisthos 06:16 <@plaisthos> mator 06:17 < mator> plaisthos, i can't enable ipv6 to work with last build of openvpn for android, which you've provided me yesterday... http://fpaste.org/325541/14558712/ 06:17 < mator> i believe dev (null) is wrong 06:17 < mator> should be something like tun0 06:18 < mator> want me to paste full logs ? 06:19 <@plaisthos> no 06:19 <@plaisthos> no need 06:19 <@plaisthos> the dev null does not matter 06:19 <@plaisthos> 2016-02-19 11:25:55 Local IPv4: 10.8.1.10/30 IPv6: 2a04:dbc3:fffc::1001/64 MTU: 1500 06:19 <@plaisthos> that looks good 06:20 <@plaisthos> right under the DNS server line should be a routes line 06:20 < mator> i could paste routing table from connected android now... 06:20 < mator> sek 06:21 < mator> http://fpaste.org/325665/88421414/ 06:21 <@plaisthos> the routes also have a ::/0 route 06:21 <@plaisthos> and what does not work? 06:21 <@plaisthos> the log looks good 06:24 < mator> plaisthos, doesn't work 06:24 < mator> http://fpaste.org/325666/58844111/ 06:24 < mator> i'm pushing 06:24 < mator> push "route-ipv6 2000::/3" 06:25 < mator> from openvpn server, and i don't see this route being added 06:25 < mator> it was working on 5.1.1 cyanogenmod rom 06:25 < mator> (my previous rom on this galaxy nexus) 06:26 < mator> brb, phone call 06:27 <@plaisthos> the route list has a ::/0 route which includes the 2000::/3 route 06:27 <@plaisthos> did you actually test with a site like http://test-ipv6.com/? 06:27 <@vpnHelper> Title: Test your IPv6. (at test-ipv6.com) 06:32 < mator> plaisthos, i did 06:32 < mator> it's the only way i test my ipv6 06:32 < mator> :) 06:34 <@plaisthos> you can disable the default ipv6 option in the app 06:34 < mator> why it doesn't install 2000::/3 route ? 06:34 <@plaisthos> then you should only get the 2000::/3 route 06:34 < mator> plaisthos, tried both ways 06:34 < mator> no 2000::/3 route 06:35 <@plaisthos> mator: sure? 06:35 < mator> yes 06:35 < mator> let me check once again 06:36 <@plaisthos> for the routing table on the phone btw. read the last FAQ 06:37 <@plaisthos> in short use: ip rule, iptables -t mangle -L 06:39 < mator> plaisthos, i've seen "ip rule" today 06:40 < mator> first, ip rule is quite interesting 06:40 < mator> i mean i don't used it much 06:40 < mator> second, that android does not show me ipv6 routing with simple "ip -6 ro sh", probably i need to add lookup table (from "ip rule sh") 06:44 < mator> i believe, it's wrong lookup ip rule table 06:44 < mator> i don't know 06:47 <@plaisthos> yeah 06:47 <@plaisthos> that linux policy routing android does is near black magic 06:47 <@plaisthos> or at least very confusing 06:48 < mator> plaisthos, http://fpaste.org/325673/55885865/ 06:52 < mator> line starting from unreachable is from "ip -6 route sh table 0" 06:52 < mator> (forgot to add it to fpaste) 06:52 < mator> damn... why don't it work... 06:53 < mator> i have plain ipv6 at home, and without tunnel ipv6-test.com tells me about home ipv6 address 06:53 < mator> i have open/connect openvpn tunnel from home, it will receive tunnel ipv6 (besides of local home ipv6 address), and test-ipv6.com will still tell me about my home ipv6 address 06:54 < mator> i wonder, if i reflash to older 5.1.1 ROm and check all this routing tables 06:54 < mator> :-/ 06:56 <@plaisthos> mator: you can also try older version of my app (plai.de/android 06:56 <@plaisthos> but I am not sure if that changes anything 07:00 < mator> plaisthos, i'm going to try playstore/fdroid version 07:18 <@plaisthos> mator: you can do that too :) 07:21 <@plaisthos> mator: but apart from the permission fix those version are identical 07:33 < mator> plaisthos, but thanks anyway 07:33 < mator> going to report back when i'll fix it 08:30 < omnidan> hi! I'm trying to set up an openvpn client on my mikrotik routerboard. it's not a server related issue as it works fine on other clients (I just imported the ovpn file and it worked). On my router I imported the certs and created a new OVPN Client in the PPP settings panel 08:30 < omnidan> but it's asking me for a username which I haven't configured on the server 08:30 < omnidan> and also not sure what to put for auth and cipher 08:31 < omnidan> https://i.imgur.com/5fEPt5E.png 09:21 < Colti> Hi 09:22 < Colti> is it necessary to other ports unblocked by iptables then the openvpn server port? 09:22 < Colti> i unblocked the openvpn server port for udp and tcp 09:26 < Neighbour> you only need to unblock one of tcp or udp...depending on whether you use tcp or udp in your openvpn config 09:35 < Colti> ah cool it possible to use tcp also thought it needs udp to work 09:36 < Colti> which is better to use? 09:36 < Colti> tcp or udp? i think tcp will cause less problems with firewalls 10:02 < Poster> Yes - TCP is generally more reliable since it has sequencing numbers and usually passes even the "dumbest" stateful packet inspection devices. 10:02 < Poster> UDP is lighter, but at the cost of sometimes getting lost with "dumb" stateful packet inspection devices 10:02 < Poster> I had the latter with a consumer grade DSL modem/router 10:03 < Poster> I had to reset the DSL modem periodically to clear the state table for UDP connections 10:03 < Poster> flipping the link to TCP resovled it 10:44 < darlinger> I'm having a really weird issue with ifconfig-push 10:45 < darlinger> and what's weird is that what's working for one client isn't for the other 10:45 < darlinger> what happens is that the client connects just fine and receives the static ip, but is unable to push any traffic through the tunnel 10:45 < darlinger> (I'm using subnet topology) 10:46 < darlinger> the line I use is pretty much: 10:46 < darlinger> ifconfig-push 10.0.8.40 255.255.255.0 10:46 < darlinger> which works absolutely fine with another client in a similar manney 10:46 < darlinger> manner* 10:47 < darlinger> and I've singled it out because when I comment it out and restart the client's openvpn session, it works perfectly, just without the desired IP :( 10:49 < darlinger> anyone have any ideas as to what's going on? 10:50 < darlinger> it's not firewall either as I'm able to see outgoing packets in the raw table when doing some rapid pings 10:50 < darlinger> and the server never receives any packets :( 10:50 < darlinger> cannot ping the server on its tun interface either 10:51 < Poster> darlinger: that sounds a lot like UAC is prohibiting the route addition, are the problem clients Windows 7 or newer? 10:52 < darlinger> Poster: all Linux-based OSes 10:52 < darlinger> server and client are both vpses 10:52 < Poster> oh, well scratch that then :[ 10:52 < darlinger> going to see if something is getting messed up in the routing tables with ifconfig-push 10:53 < Poster> it could be a conflicting route maybe 10:53 < darlinger> caused by just ifconfig-push though? 10:53 < darlinger> literrally I can toggle it on and off and it will work 10:53 < darlinger> literally* 10:54 < darlinger> not conflicting addresses either since its the only client at this point 10:54 < darlinger> well I mean at the point that it's connected, for testing purposes 10:58 < darlinger> can ifconfig-push mess things up if both server and client are on the same subnet? 10:59 < darlinger> hold on a minute... 11:00 < darlinger> hahahaha I figured it out 11:00 < darlinger> typo. thanks poster 11:00 < darlinger> Poster: ^ 11:01 < darlinger> sometimes I just feel like I'm losing my mind over the stupid stuff :p 11:18 < Otacon22> I'm experiencing slow upload speed when tunneling into the vpn, while the download speed seems to be fine 11:19 < Otacon22> My uplink connections have filtering of ICMP traffic, so maybe it's a MTU issue due to the absence of ICMP packet too big messages? 11:19 < darlinger> Otacon22: which ISP are you using? 11:19 < Otacon22> I'm using AES as cypher (and my cpu have aes acceleration), and I'm also using comp-lzo 11:20 < Otacon22> darlinger, university network 11:20 < Otacon22> completely blocking ICMP 11:20 < Otacon22> they are assholes 11:20 < darlinger> are you sure that it's openvpn that throttling upload? how are you measuring this? 11:20 < Otacon22> both iperf and speedtest-cli 11:21 < darlinger> hmmm 11:21 < Otacon22> I'm sure that my MTU is 1500 11:21 < darlinger> es default I believe 11:21 < Otacon22> also I've tried sending UDP packets with 1500 size and checking that they are received on the server 11:22 < darlinger> but you're absolutely sure that the degradation isn't just crappy university network upload speeds? 11:22 < Otacon22> let me double-check 11:23 < Otacon22> btw sndbuf/rcvbuf is unrelated, right? 11:23 < darlinger> not sure 11:25 < Otacon22> btw I see a lot of small UDP packets 11:25 < Otacon22> around 200-600 Bytes 11:26 < Otacon22> but the MTU is 1500, why is it not sending packets fitting the MTU? 11:36 < darlinger> because it is and it's probably something else that's making things slow? :/ 11:44 < Otacon22> darlinger, bandwidth is not limited on upload 11:48 < Otacon22> with iperf on the same udp port (1194), I can reach 100Mbps, while in the vpn it's only ~15Mbps 12:01 < Otacon22> darlinger, i'm running iperf on the pc when it's configured to tunnel all the traffic through the vpn. I'm pointing to another unrelated server on the internet of which I have control. When I send with 10M rate, I receive all the traffic on the other server. When I send 90M, nearly all the packets are lost 12:17 < darlinger> can you generate some MTR reports? 12:17 < darlinger> both ways 12:17 < darlinger> need to see where exactly the packet loss is happening 12:17 < darlinger> mtr -rwc 100 12:29 -!- Netsplit *.net <-> *.split quits: +hazardous, +RBecker, @mattock 12:30 -!- Netsplit over, joins: RBecker, mattock 12:30 -!- mode/#openvpn [+v RBecker] by ChanServ 12:30 -!- mode/#openvpn [+o mattock] by ChanServ 12:30 -!- Netsplit over, joins: hazardous 12:30 -!- mode/#openvpn [+v hazardous] by ChanServ 12:30 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 12:30 -!- mode/#openvpn [+o mattock_] by ChanServ 17:51 -!- rich0_ is now known as rich0 22:48 < hiya> Anyone else using eurephia? 23:16 < _FBi> hiya, negtron 23:17 < _FBi> s/negtron/negatron 23:17 < hiya> _FBi, Hey do you use it? 23:17 < _FBi> negative 23:20 < hiya> _FBi, how do you manage user auth then? 23:20 < hiya> Do not have user/pass? 23:20 < hiya> :P 23:20 < _FBi> nah, I'm free wheeling! 23:23 < hiya> TLS (certs) only? 23:25 < _FBi> I'm kidding. I told you SQL and Freeradius. (yes TLS, too) 23:25 < hiya> Freeradius omg 23:25 < hiya> I am trying to implement eurephia 23:25 < hiya> but getting 23:26 < hiya> PLUGIN_CALL: plugin function PLUGIN_TLS_VERIFY failed with status 1: /usr/lib/eurephia/eurephia-auth.so 23:26 < hiya> and on client side it preserves at 23:26 < hiya> https://lut.im/bVDXfgEhXu/0x6dwr1ZU4oRBvqK.png 23:27 < hiya> also the depth 0 CN = server on client side is weird 23:27 < hiya> What could be the problem? 23:28 < _FBi> I would have to direct you to google 23:30 < hiya> _FBi, omg I think I found the problem 23:30 < hiya> it is authenticating 23:30 < hiya> but this plugin do not support more than 32char in passwords I guess 23:31 < hiya> I think so 23:31 < _FBi> yopu haven't blacklisted yourself have you 23:31 < hiya> _FBi, it blacklisted it 23:31 < hiya> and remove it 23:31 < hiya> it does again 23:31 < hiya> I remove again 23:32 < hiya> but I did not try smaller password 23:32 < hiya> it happen with admin pass for database too 23:32 < hiya> I think so is the problem 23:37 < hiya> _FBi, Do you suggest something else? 23:39 < _FBi> for? 23:39 < hiya> user authentication 23:39 < hiya> :P 23:40 < hiya> _FBi, PAM auth offered by openVPN sucks 23:40 < hiya> it would auth anyone's user/pass with anyone's TLS certs 23:41 < hiya> it does not match them 23:45 < _FBi> don't be an askhole 23:58 < _FBi> Freeradius ASQL 23:58 < _FBi> SQL --- Day changed Sat Feb 20 2016 00:01 < hiya> _FBi, you do not understaand my problem 00:01 < hiya> :( 00:04 < hiya> Secure auth is always an issue 00:06 < _FBi> freeradius has a login 00:07 < hiya> _FBi, but eurephia is coool too :P I love it but I don't know where the problem is 00:08 < _FBi> fix the problem 00:09 < hiya> I trying to but since it is used by only a few 00:09 < hiya> It is hard to debug 00:09 < hiya> Maybe I should increase the logging 00:10 < _FBi> ya think? 00:11 < hiya> I think I should wait 00:11 < hiya> before I get appropriate help 00:11 < hiya> _FBi, until then messed up OpenVPN-pam-auth is fine 00:14 < _FBi> use a vm 00:17 < hiya> _FBi, hw is your VPN business? 00:40 < _FBi> hiya, shall I continue? lol 00:42 < hiya> no 00:42 < hiya> people like us run Community VPNs with donations / support from community only 00:42 < hiya> so you should not 00:42 < hiya> you should rather suppose our league 00:42 < hiya> :P 00:43 < hiya> We have Multiple locations in EU 00:43 < hiya> soon would expand to Asia and US 00:43 < hiya> all for free 00:44 < hiya> _FBi, soon we would implement "secure auth and retire PAM auth" 00:46 < _FBi> I may troll your channel more, if I'm allowed? 01:03 < al_the_noob> !welcome 01:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 01:03 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:04 < al_the_noob> !goal 01:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:08 < al_the_noob> I have a RPi which is configured to use a commercial VPN service. It runs the ovpn client as a daemon. It currently routes all traffic over vpn. I have my home asus router running as an ovpn server. I would like to be able to remote into my home network, and then in turn communicate with my RPi via the LAN. Currently this does not work, and I suspect it's a routing issue. Any help/suggestions would be lovely. 01:10 < al_the_noob> I am able to SSH into the RPi when I'm on my home network using it's LAN IP. It's only when the second (home) VPN connection is involved that the communication fails. 01:12 < al_the_noob> !sample 01:12 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 01:13 < al_the_noob> !paste 01:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:24 < hiya> _FBi, what? 01:27 < al_the_noob> here's my configs, if that'll help. 01:27 < al_the_noob> https://gist.github.com/thealanberman/ce0a217ea74761c0d6a0 01:27 <@vpnHelper> Title: OpenVPN configs · GitHub (at gist.github.com) 01:30 < _FBi> night guys 01:30 < hiya> _FBi, What are you trying to say? 03:57 < aix> Hi 04:02 < hiya> aix, hey what's up? 04:02 < aix> hiya hiya :P 04:34 < runrig4> hi, traffic isn't being forwarded from eth0 to tun0 on server 04:34 < runrig4> trying to use vpn to browse internet 04:44 < runrig4> here is all the settings and logs 04:44 < runrig4> http://pastebin.ca/3377354 04:44 < runrig4> mostly i think the firewall script is not correct 05:16 < runrig4> sorted, didnt enable ip forewarding 05:16 < runrig4> how do i change the default 1 hour new key time 05:16 < runrig4> i want it to be longer like a week 05:16 < hiya> runrig4, by changing it in the server.conf 05:17 < hiya> reneg-sec 7200 <-- 2 hours 05:17 < hiya> you can set it to more 05:17 < hiya> set reneg-sec 0 in client.conf 05:18 < runrig4> so in server reneg-sec 604800 05:18 < runrig4> in client reneg-sec 0 05:18 < hiya> ok 05:18 < runrig4> just in my country they see the key negotation and use it to block openvpn 05:18 < runrig4> so i hope extend it makes less obvious 05:18 < hiya> ok 05:18 < hiya> no problem 05:18 < hiya> ok 05:19 < runrig4> last Q then i have to go, ty for the help 05:19 < runrig4> is it ok use udp on port 444? 05:19 < runrig4> thats the setup 05:19 < hiya> yes 05:19 < hiya> use port 443 05:19 < hiya> :) 05:19 < hiya> for UDP 05:19 < runrig4> why 443, isn't that for tcp 05:19 < hiya> they do not generally mess with it even in UDP 05:19 < runrig4> tcp is slower i think 05:19 < hiya> use 443 UDP 05:20 < runrig4> ok :) 05:33 < jophish_> Hi 05:34 < jophish_> I'm using openvpn but I just want to ssh into a remote machine, at the moment I can do that but when I have a ovpn connection open I can't access the internet 05:34 < jophish_> all I want to do is run ssh over an openvpn connection to a particular IP and leave all other traffic alone 05:34 < jophish_> is there a way to do this on the client? 05:42 < hiya> jophish, simply use a VM 05:42 < hiya> and do SSH from there 05:42 < hiya> after connecting it to the server 06:19 -!- rich0_ is now known as rich0 06:35 < Mazhive> hi guys some one available to get mine running , ?? 06:36 < Mazhive> cant figure out this output/... [....] Starting virtual private network daemon: Server/etc/init.d/openvpn: 84: /etc/init.d/openvpn: start-stop-daemon: not found 06:36 < Mazhive> start file seems oke.. according to path refrences 06:59 < nohitall> hi, I get a "no shared ciphers" error, but it was working for months now and I didnt touch it, config here https://arke.xyz/view/raw/e0cdee9f 07:00 < nohitall> obviously they are the same cipher sets, so I dont understand really whats happening 07:02 < nohitall> 2.3.4 on server, 2.3.9 on client 07:02 < nohitall> I just used it yesterday lol 07:03 < nohitall> I am dumbfunded since I was using it until yesterday without issues and nobody but me has control over the server 07:09 < Neighbour> Mazhive: sounds like your initscrit can't locate "start-stop-daemon" 07:09 < Neighbour> initscript* 07:12 < nohitall> if I check with openssl cipvers version I see all on both that are defined in the configs 07:12 * nohitall confused 07:46 -!- kloeri is now known as bosslady 08:20 < CygniX> with easyrsa3.x, if you opt for ec instead of rsa, do you still use dh option in server.conf? 08:41 -!- bosslady is now known as kloeri 09:12 < Colti> Hi which options needs to be set in openvpn server.conf to get ipv6 working 09:12 < Colti> i set the ip forwarding in sysctl.conf for ipv4 and ipv6 09:13 < Colti> but only ipv4 is working 09:14 < Colti> i want to use the openvpn server as a dual stack gateway to be connected with ipv4 and ipv6 network 09:23 < nohitall> Colti: in server and client config use proto udp6 09:23 < nohitall> Colti: https://community.openvpn.net/openvpn/wiki/IPv6 09:23 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 09:31 < Colti> ahh cool thx, if i got it right for to get just a dual stack gateway it enought to follow this guide: Providing IPv6 outside the tunnel 09:31 < Colti> setting proto udp6 is enough 09:41 < CygniX> is there example or manual for server.conf when using elliptic curve ? 09:48 < nohitall> CygniX: ECDHE or you mean for the stream itself? 09:49 < nohitall> from what I understand ECC is still not supposed, I seen some hacks though 09:49 < CygniX> oh 09:49 < nohitall> only for the DHE 09:49 < CygniX> I just followed the directions from vars with easyrsa3 09:50 < nohitall> well openssl uses ECDHE, but thats just the key exchange 09:50 < nohitall> but maybe I am not up2date 09:51 < CygniX> line 99 says, 'The default crypto mode is rsa; ec can enable elliptic curve support.' 09:51 < CygniX> so on line 105, I changed it to 'set_var EASYRSA_ALGO ec' 10:09 < CygniX> does openvpn not support SHA2 signed certs? 10:09 < hiya> CygniX, SHA256 is there? 10:10 < hiya> SHA512 is required? 10:11 < SupaYoshi> Hi 10:11 < SupaYoshi> anyone good with iptables here? 10:11 < SupaYoshi> I tried to route some traffic over this vpn tunnel, using this . 10:11 < SupaYoshi> http://askubuntu.com/questions/37412/how-can-i-ensure-transmission-traffic-uses-a-vpn 10:11 <@vpnHelper> Title: server - How can I ensure transmission traffic uses a VPN? - Ask Ubuntu (at askubuntu.com) 10:11 < SupaYoshi> sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun1 -j REJECT 10:11 < SupaYoshi> but now no internet at all for that usergroup. 10:14 < CygniX> hiya: I don't know honestly, but here is what the error looks like on the server side: https://paste.opensuse.org/26f8c453 10:15 < hiya> This Connection is Untrusted 10:16 < CygniX> opensuse sillyness 10:16 < CygniX> http://paste.opensuse.org/26f8c453 10:19 < hiya> CygniX, Do you use TLS 1.2? 10:19 < hiya> on server side? 10:19 < hiya> what tls-cipher do you use? 10:20 < CygniX> hiya: one sec let me paste server.conf 10:20 < hiya> Ok 10:22 < DArqueBishop> CygniX: the client config file would be useful too. 10:23 < hiya> CygniX, if you are using TLS 1.2 ciphers in server 10:24 < hiya> and using dumbass OpenVPN 2.3.4 10:24 < hiya> it won't work 10:24 < hiya> it is defective piece 10:24 < CygniX> server.conf http://paste.opensuse.org/489ff12c 10:26 < hiya> CygniX, ok server.conf is nothing special 10:26 < hiya> client.conf? 10:26 < hiya> CygniX, which OS on client? 10:26 < hiya> CygniX, client.conf = messed up 10:26 < hiya> :) 10:27 < CygniX> client.conf http://paste.opensuse.org/681416b5 10:27 < CygniX> the servers is debian jessie, client os is opensuse 10:28 < CygniX> it works fine if I use easyrsa2.x 10:28 < CygniX> I wanted to test easyrsa3 and eliptic curve. 10:29 < hiya> lol 10:30 < hiya> CygniX, it is not support yet :) wait for 2.4 10:30 < hiya> OpenVPN 10:30 < CygniX> oh 10:31 < CygniX> damn, that was a tremendous amount of waste of time :P 10:33 < hiya> CygniX, but good job :) Try tuning 2.3.x with easyrsa2.x 10:33 < hiya> Get the best setup possible 10:33 < hiya> :) 10:33 < hiya> Try different auth modes etc 10:35 < CygniX> wait, easyrsa3 wont work with openvpn 2.3.x, hiya? 10:36 < CygniX> the issue I see here was using ec instead of the default rsa in vars 10:37 < hiya> CygniX, no it would not 10:37 < hiya> 2.4 10:37 < hiya> and then it would work 10:37 < hiya> you want EC crypto mode instead of RSA right? 10:37 < CygniX> I was talking about something else, when you mentioned using easyrsa2.x with openvpn 2.3.x. 10:38 < CygniX> I read it as you saying easyrsa3.x does not work with openvpn 2.3.x 10:38 < hiya> EC crypto mode do not work until you have 2.4 10:39 < CygniX> easyrsa3.x allows one to use normal rsa or ec. 10:39 < CygniX> yea, that I got. 10:39 < hiya> tls-cipher TLS-ECDHE do not work until 2.4 10:39 < hiya> although it has nothing to do with RSA/EC mode 10:39 < hiya> ECDHE is just not supported yet 10:39 < hiya> :) 10:39 < hiya> EC!!! 10:39 < hiya> heh 10:41 < CygniX> thanks for the information. I probably would have been at it for a few more hours wondering why it's not working. :) 10:42 < hiya> ok 10:56 < hiya> CygniX, I hope you did not revoke the keys / client keys 10:58 < Mazhive> initscript hmm i have one in in /etc/init.d/ 10:58 < Mazhive> called openvpn...? 10:59 < Otacon22> darlinger, apparently I found the problem of the other day with my VPN being slow on upload. My server is on OVH, and ... 10:59 < Otacon22> https://forum.ovh.co.uk/showthread.php?5447-The-attacks 11:01 < Otacon22> OVH is so stupid that is rate limiting UDP on any port, no matter what 11:01 < Otacon22> and if I want to disable the rate limit, of course I have to pay 11:03 < hiya> Otacon22, lol 11:03 < hiya> wtf 11:03 < Mazhive> Neighbour i also have them in all /etc/rcX.d folders 11:03 < Otacon22> Never use OVH. Ever. 11:20 < CygniX> hiya: why? 11:21 < hiya> CygniX, that msg is common when you do it, although in your case NOT support is the cause :) 11:22 < CygniX> na, they were mintly created 11:40 < _FBi> !seen krzee 11:40 <@vpnHelper> krzee was last seen in #openvpn 2 days, 1 hour, 5 minutes, and 50 seconds ago: !factoids search app 11:40 < _FBi> heh 12:11 < hiya> CygniX, ok then :) I thought maybe you did the worse mistake 12:43 < darlinger> Otacon22: you can always try Linode :) 12:46 < Drexir> when connected to vpn what is the difference between udp and tcp? 12:49 < darlinger> Drexir: udp has better performance 12:50 < darlinger> TCP encapsulated in TCP is a bad idea in general 12:50 < Otacon22> exactly, basically the inner TCP is trying to calculate the speed of the link while the link is changing 12:51 < darlinger> when the outside one starts timing out, it gets REALLY bad 12:51 < Otacon22> this is a graph of a ping on a VPN via TCP or via UDP between the same two hosts: 12:51 < Otacon22> https://otacon22.it/upload/vpn-tcp-udp.png 12:52 < Otacon22> think about VoIP calls in the TCP case and start to cry 12:52 < darlinger> lol 12:53 < darlinger> what happens is that if the outer TCP session is delayed, it holds back the inner TCP session 12:53 < darlinger> and then they start retransmitting like crazy 12:53 < darlinger> it stacks up 12:53 < Drexir> darlinger, Otacon22: thanks 12:54 < darlinger> however, TCP is useful in highly constrained situations 12:54 < darlinger> like when firewalls suck 12:54 < Otacon22> darlinger, btw I can't change server provider because the server is not mine, I'm just managing it. The solution would be to find a way to tell linux to disable congestion control for the openvpn connection 12:54 < Otacon22> however afaik you can only change the congestion control globally on the os 12:54 < darlinger> they're probably throttling it at the routers. no go 12:55 < darlinger> Drexir: more info http://sites.inka.de/bigred/devel/tcp-tcp.html 12:55 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 12:55 < Otacon22> darlinger, not TCP afaik, only UDP 12:55 < darlinger> Otacon22: ohhhhhhh so you'll change the TCP stack in the kernel 12:55 < Drexir> If using a vpn and the vpn provides a SOCKS5 proxy what is the benefit of using that? 12:55 < Otacon22> another idea I had is to write an iptables target module to convert the UDP header into a TCP one before sending on the wire 12:56 < Otacon22> should not be too complicated, I know how to write netfilter stuff 12:56 < darlinger> Drexir: proxy is only for application level 12:56 < Drexir> oh ok like a browser or irc client etc 12:56 < darlinger> VPN is at IP level 12:56 < darlinger> pretty much just HTTP afaik 12:57 < Drexir> darlinger: wait are you suggesting a vpn only encrypts http and https ports? 12:57 < darlinger> no, I'm saying proxies do 12:57 < darlinger> and proxies don't encrypt 12:57 < darlinger> well some of them do 12:57 < darlinger> that's a lie 12:58 < Drexir> yea proxy and vpn can really be interchanged as terms :P 12:59 < darlinger> no, they really can't 12:59 < darlinger> proxy is application level. VPN is IP level 13:00 < darlinger> sorry, Network layer 13:00 < darlinger> https://en.wikipedia.org/wiki/OSI_model 13:00 <@vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org) 13:02 < darlinger> I haven't had my coffee yet -_- 13:02 < Eugene> !beer 13:02 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 13:02 < Drexir> https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address 13:02 <@vpnHelper> Title: Prevent WebRTC from leaking local IP address · gorhill/uBlock Wiki · GitHub (at github.com) 13:02 < Drexir> could anyone explain to me how I would test that? 13:04 < darlinger> Drexir: have fun! http://ip-check.info/index.php?jsID=13458686abc&auth=990499872&145599480423818=145599480423818tc-979434416c-115289194&referer=unchanged 13:04 <@vpnHelper> Title: IP check (at ip-check.info) 13:04 < darlinger> bloop. that's mine :p oops 13:05 < darlinger> http://ip-check.info/?lang=en 13:05 <@vpnHelper> Title: IP check (at ip-check.info) 13:05 < darlinger> once it's on IRC, it's there forever :P 13:05 < darlinger> ope nope. good. doesn't show my info 13:08 < wsky> hey 13:08 < wsky> i;m getting this server side: 13:08 < wsky> Sat Feb 20 20:03:28 2016 83.25.26.111:26902 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 13:08 < wsky> Sat Feb 20 20:03:28 2016 83.25.26.111:26902 TLS Error: TLS handshake failed 13:08 < wsky> any ideas? 13:08 < wsky> it was working all time long untill i woke up today and out of the sudeen i'm getting this 13:08 < hiya> wsky, ok could be client side issues 13:09 < wsky> well it's not the client os since i'm experiencing it on two different oses on this machine 13:10 < darlinger> TLS is the control channel 13:10 < darlinger> hmmm 13:10 < hiya> wsky, did you change anything last night? 13:10 < darlinger> do you have debug output? 13:10 < wsky> i haven't changed nothing 13:10 < darlinger> change the verbosity of your logs and pastebin it 13:10 < Drexir> darlinger: eh I prefer a test site that isn't trying to sell me something 13:11 < wsky> also my phone on a different network is not experiencing no issues of this sort 13:11 < darlinger> Drexir: they offer most of their stuff for free 13:11 < darlinger> either way, have fun googling it yourself 13:11 < wsky> darlinger: which logs? 13:11 < wsky> server, client side or both? 13:11 < darlinger> wsky: both 13:12 < darlinger> put verb like up to 6 13:12 < wsky> i even rebooted my server 13:13 < darlinger> ...logs... 13:13 < wsky> i know 13:13 < wsky> but i'm thinking 13:13 < wsky> my phone is not having any issues 13:13 < darlinger> how do you have RSA set up? 13:13 < darlinger> how are you authing? 13:13 < wsky> so it might be my isp perhaps? 13:14 * darlinger shrugs. 13:14 < wsky> or my local network 13:14 < wsky> bu i've rebooted the router and my switch 13:14 < darlinger> are you able to ping your server at least? 13:15 < darlinger> is there packet loss? 13:15 < wsky> well i'm talking from it atm 13:15 < Drexir> darlinger: if at all possible you want to source your information from a party that is not trying to make a profit off of said information. 13:15 < wsky> but i'm not connected via vpn 13:15 < wsky> i auth using client keys 13:15 < darlinger> Drexir: whatever 13:16 < darlinger> Drexir: https://www.privacytools.io/ 13:16 <@vpnHelper> Title: privacy tools - encryption against global mass surveillance 🔒 (at www.privacytools.io) 13:16 < darlinger> there's also that 13:16 < Drexir> darlinger: Thank you. I guess you don't agree with me? 13:16 < SAKUJ0> o7. this is weird. the first time i stumble on MTU issues, but just on the ONE server and just ONE colleague (the only one that uses OSX). 13:16 < SAKUJ0> This connection is unable to accomodate a UDP packet size of 1557. Consider using --fragment or --mssfix options as a workaround. 13:17 < darlinger> Drexir: JonDoFox is fine 13:17 < SAKUJ0> Which is clearly too high 13:17 < SAKUJ0> Using the fragment and mssfix options has to be set up on BOTH client and server though, right? 13:17 < SAKUJ0> IIRC the "mtu-test" option is client side 13:18 < darlinger> not sure 13:18 < darlinger> should say in the manpage 13:18 < darlinger> you can always try pushing settings too 13:18 < Drexir> darlinger: anyways the only problem with turning off most of that stuff is sadly it tends to break like most of the internet lol 13:19 < darlinger> webrtc not so much 13:19 < darlinger> unless you're using something that requires your cam or mic 13:22 < Drexir> no i mean like cookies, plugins, local storage, etc 13:22 < darlinger> not really 13:22 < darlinger> the big thing is JS 13:22 < darlinger> and some sites will get pissed at you if you don't use cookies 13:23 < darlinger> this is an Openvpn channel though, and not a privacy channel 13:25 < Drexir> darlinger: yea may I ask you these questions Data Encryption, Data Autehentication, Handshake. What are the real world performance hits oh say changing data encryption from AES-128 to 256 or blowfish 13:26 < darlinger> I know that changing from RSA 2048 to 4096 is 5 times more cpu expensive 13:27 < SAKUJ0> Not sure if those three lines were in response to me dar.linger. But the openvpn man page does not address whether fragment and mssfix have to be set up client side or both server and client side. Just in my testing phase I remember the error messages. 13:27 < SAKUJ0> I am sure the HowTo has more information on this 13:27 < darlinger> Drexir: http://csrc.nist.gov/archive/aes/round1/conf2/Schneier.pdf 13:27 < darlinger> Drexir: http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit I would take this one with a grain of salt 13:27 <@vpnHelper> Title: cryptography - Why most people use 256 bit encryption instead of 128 bit? - Information Security Stack Exchange (at security.stackexchange.com) 13:32 < darlinger> Drexir: this one is a bet more coherent http://www.cse.wustl.edu/~jain/cse567-06/ftp/encryption_perf/ 13:32 <@vpnHelper> Title: Performance Analysis of Data Encryption Algorithms (at www.cse.wustl.edu) 13:48 < wsky> i'm guessing it's my isp playing games 13:49 < darlinger> did you get logs? 13:51 < wsky> not yet 13:51 < wsky> i'm kinda worried about showing all the ips in public 13:55 < SAKUJ0> The community doc mentions we are not supposed to do CA PKI tasks or generate private keys as a privileged user. Why is that? 13:56 < wsky> also i'm not sure what keys are being exposed in verbose logs 13:56 < SAKUJ0> It explicitly says to create a restricted/limited account for that purpose. 13:56 < SAKUJ0> But that is the same thng, except for being even more permissive. Which is, why I am confused 13:57 < SAKUJ0> It also directly contradicts the Arch Linux wiki. Which guides us to copy the `easy-rsa` folder to /root. 13:57 < SAKUJ0> Note that while mssfix only needs to be specified on one side of the connection, fragment should be specified on both. 13:57 < SAKUJ0> sry wc 13:57 < SAKUJ0> https://community.openvpn.net/openvpn/wiki/Hardening 13:57 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net) 13:57 < SAKUJ0> Please ignore the "Note that" line 14:04 < hiya> use Passwords as Auth Mode with ca.crt vs client.crt, client.key, ca.crt + password as auth mode, which one is more secure? 14:09 < darlinger> wsky: just redact the IPs. use sed or something 14:09 < wsky> no that's fine 14:09 < darlinger> SAKUJ0: I have no clue why. honestly you should be fine, though try to keep your CA on an encrypted drive or something 14:09 < wsky> i'm having connectivity issue with or without vpn actually 14:09 < wsky> issues 14:09 < darlinger> hiya: use pki 14:10 < wsky> i think it's my isp. i will wait 14:10 < darlinger> wsky: lol well there you go 14:10 < darlinger> wsky: generate some MTR reports 14:11 < hiya> darlinger, So certs? 14:11 < hiya> private key for auth? 14:11 < darlinger> yes 14:11 < darlinger> though it doesn't matter too much as long as you're using a CA 14:11 < darlinger> depends on how many people are using it 14:11 < darlinger> or how many devices 14:12 < darlinger> I always prefer pki 14:12 < darlinger> you can also encrypt the private keys so that it still requires a password 14:12 < hiya> darlinger, is there a way I need not provide user.crt / user.key to clients and maybe I could just let them use their own by signing theirs with my root CA? 14:13 < darlinger> https://jamielinux.com/docs/openssl-certificate-authority/ 14:13 <@vpnHelper> Title: OpenSSL Certificate Authority Jamie Nguyen (at jamielinux.com) 14:13 < darlinger> http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority/ 14:13 <@vpnHelper> Title: Becoming a X.509 Certificate Authority - David Pashley.comDavid Pashley.com (at www.davidpashley.com) 14:13 < darlinger> basically they'll generate .csr's for you and you'll sign them and return them as certificates 14:14 < hiya> darlinger, .csr is always there when I build client keys 14:14 < hiya> so they do it on their own computer? 14:14 < hiya> and send it to me? 14:14 < darlinger> yes 14:14 < hiya> How do I sign then? 14:14 < hiya> like gpg keys? 14:14 < darlinger> they create their own keys and then create a request 14:15 < darlinger> you take the request and sign it to create a cert 14:15 < darlinger> then you give them the cert and their private key will be valid 14:15 < darlinger> I believe you might be able to pull it off with easy-rsa as well 14:15 < darlinger> though I haven't done it myself 14:16 < hiya> I am searching for it using easy-rsao nly 14:16 < hiya> :P 14:16 < hiya> ./sign-req 14:16 < hiya> :) 14:17 < hiya> darlinger, so sending .csr over unecrypted channels harmful? 14:18 < hiya> darlinger, how should they give me .csr? 14:18 * darlinger shrugs. sneakernet? idk. use common sense 14:18 < hiya> :( 14:18 < darlinger> lol encrypt it using gpg and use email 14:19 < darlinger> that part's completely off topic 14:19 < hiya> darlinger, oh I use Tox to send out such things end to end encrypted :) or I just gpg encrypted or gpg -c or 7z encrypt 14:20 < darlinger> yes 14:20 < hiya> darlinger, but Can we revoke these request keys the same way? 14:20 < hiya> is it stored in the database? 14:20 < hiya> the same way? 14:20 < darlinger> you can revoke without contact with the client 14:20 < hiya> Wow 14:20 < hiya> I did not know about this .csr thingy at all 14:20 < hiya> now I do 14:20 < hiya> What is the benefits? 14:21 < darlinger> http://www.zytrax.com/tech/survival/ssl.html 14:21 <@vpnHelper> Title: Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed) (at www.zytrax.com) 14:21 < darlinger> you can do it either way 14:21 < darlinger> really 14:21 < darlinger> it's just my preferred way 14:22 < hiya> but what is the benefit if client cook their own certs vs I prove them? 14:23 < darlinger> the benefit is on them. they get to keep their private key secret to them 14:23 < darlinger> honestly it depends on how you set it up 14:23 < darlinger> I've never had to deal with multi-user stuff before 14:24 < hiya> darlinger, I run a VPN for people, and I have 15+ users (active) and I need to study all this deeply 14:24 < hiya> I am thinking about changing from Certs Auth to Passwords only 14:25 < darlinger> you can do that too 14:25 < darlinger> as l