--- Day changed Mon Jan 01 2018 04:19 < notadrop> !welcome 04:19 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 04:19 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you 04:20 < notadrop> !howto 04:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!, or (#2) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 06:42 <+hyper_ch> dazo: ecrist: krzee: ordex: https://player.vimeo.com/video/148946917 06:42 <@vpnHelper> Title: Star Wars Episode IV.1.d: The Pentesters Strike Back from CyberPoint International on Vimeo (at player.vimeo.com) 06:43 <@ordex> morning and happy new year :) 06:46 <+hyper_ch> ordex: I want 2017 back 06:58 <@ordex> why why? 08:04 <+hyper_ch> because the first digit in my age changes this year 08:06 <+rob0> uh oh, from what to what? 08:06 <+rob0> have you considered converting to hexadecimal yet? 08:07 <+rob0> I did, quite some time back. 08:07 <+hyper_ch> 3 -> 4 :( 08:07 <+rob0> 0x28 08:07 <+hyper_ch> sounds much better :) 08:08 <+hyper_ch> (disclaimer, my age in decimal system only has 2 digits) 08:08 <+rob0> haha, I guessed that 08:25 <@ordex> ahah :D 08:26 <@ordex> rob0: good one ;) 08:47 <+hyper_ch> so, did you click the link? 09:05 <@ordex> hyper_ch: yes, but honestly i didn't find it funny :P 09:07 <+hyper_ch> ordex: you have no humour 09:07 <@ordex> :P 10:02 < BenderRodriguez> why is it 10:03 < BenderRodriguez> when I try to connect to my openvpn server while i'm in my LAN, it doesn't work 10:03 < BenderRodriguez> but outside it does 10:03 < BenderRodriguez> maybe NAT issues? 10:05 <@ordex> BenderRodriguez: is the server in your own LAN too ? 10:06 < BenderRodriguez> yes 10:06 < BenderRodriguez> the server is in 10.0.2.0/24 my openvpn client is on 10.0.3.0/24 but still behind the same NAT 10:16 < skyroveRR> BenderRodriguez: hello 10:35 <@ordex> BenderRodriguez: if you connect to your server using the public IP when you are in the LAN, I guess it will reject the connection because it will see the IP change 10:54 < BenderRodriguez> skyroveRR: it's you :O 10:54 < BenderRodriguez> ordex: ok 10:54 < skyroveRR> BenderRodriguez: yup, me. 10:54 < skyroveRR> BenderRodriguez: ;) 12:33 < Sia-> hi 12:33 < Sia-> my openvpn version is https://pastebin.com/raw/Hkx4RNvR 12:34 < Sia-> but can't read pass and user in file.conf 12:34 < Sia-> http://dpaste.com/1C4VCT0 12:35 < Sia-> i was looking in your forum, doesn't help all of this threads 12:35 < Sia-> any idea whats wrong? 12:36 <+rob0> just what it says, see --auth in the man page 12:37 < Sia-> rob0 if i read the auth manual, have a fix? or you just try to push my question with other question 12:40 <+rob0> hm? Is this --auth or --auth-user-pass? 12:42 <+rob0> anyway, I don't use that, nor do I know what you're needing, so I probably won't have useful suggestions. 12:42 < Sia-> i've just added login.txt to .ovpn file 12:42 <+rob0> I've used TLS certificate auth only. 13:00 < jason85> Hello. How can I connect openvpn to a vpn server at startup in ubuntu? 14:39 < Jakethepython> hello room can open vpn use LDAP? 14:40 < Jakethepython> for authentication 14:40 < notadrop> a quick search suggests that the answer may be 'yes' 14:40 < notadrop> https://www.startpage.com/do/dsearch?query=openvpn+ldap 14:40 <@vpnHelper> Title: openvpn ldap - Startpage Web Search (at www.startpage.com) 14:41 < Jakethepython> currently the openVPN server though is through my ASUS router not a linux machine 16:10 -!- mode/#openvpn [+o ordex] by ChanServ 16:47 < rippingdeath> hi! i am using openvpn, and it automatically changes my resolv.conf to use the tun0 interface for dns resolution. would i benefit in any way by running dnscrypt-proxy/unbound and doing my own resolution outside of the vpn? 16:51 < rippingdeath> quit 17:12 < cstk421> having an issue with tls https://paste.ee/p/FbmTP 17:12 < cstk421> fails to negotiate in 60 secs 22:39 < alker> anyone ever running an openvpn server on android? 22:39 < alker> i'm using this 22:39 < alker> https://play.google.com/store/apps/details?id=com.icecoldapps.serversultimatepro 22:40 < alker> it provides some precompiled binaries and cetificates 22:40 < alker> i'm able to connect from a windows client 22:40 <+rob0> precompiled certificates?!? 22:41 < alker> precompiled binaries 22:41 < alker> as well as some pre generated certicates 22:41 < alker> certificates 22:42 < alker> i'm able to connect from a windows client, but ping does not work 22:42 <+rob0> pre-generated certificates sound not so secure :) 22:42 < alker> route print shows exactly the same when connecting to a working ubuntu vpn server 22:43 <+rob0> The problem is probably your firewall. 22:43 < alker> I agree, but that apk uses that 22:43 < alker> yeah 22:43 < alker> but I tried almost everything to modify iptables 22:44 <+rob0> Windows also has a firewall 22:44 <+rob0> !iptables 22:44 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started 22:44 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 22:44 < alker> i have a woking vpn server on ubuntu 22:45 < alker> the windows client is fine to connect 22:45 < alker> so the problem is on the android server side 22:47 <+rob0> If you have a root shell on the android, ^^ that should work 22:48 < alker> 'm testing on androidx86 22:48 < alker> it has root 22:49 < alker> I do tried a lot suggestions on the internet 22:59 < pekster> alker: A ping doesn't work to what? If you can't ping the VPN server private IP across the VPN, the issue is almost surely the firewall. Work forward from there the same way you'd debug any connectivity issue --- Log closed Tue Jan 02 02:55:51 2018 --- Log opened Wed Jan 03 07:09:59 2018 07:09 -!- Irssi: #openvpn: Total of 309 nicks [7 ops, 0 halfops, 4 voices, 298 normal] 07:09 -!- mode/#openvpn [+o ecrist] by ChanServ 07:10 -!- Irssi: Join to #openvpn was synced in 1 secs 10:09 < teccc> hello 10:09 < teccc> having issues with using dd-wrt openvpn client to connect to my openvpn server 10:11 < teccc> I can see in the openvpn logs 10:11 < teccc> 20180103 17:01:41 N TLS Error: TLS handshake failed 10:12 < teccc> 20180103 17:02:46 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 10:13 < teccc> I put in my tls auth key, ca cert, public client cert and private client key 10:13 < teccc> in the openvpn client fields 10:14 < |Mike|> !configs 10:14 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:14 < |Mike|> !logs 10:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:14 < |Mike|> teccc: 10:14 < |Mike|> ^ 10:15 < teccc> ok 10:23 < teccc> !paste 10:23 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is 10:23 <@vpnHelper> also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 10:25 < teccc> |Mike|: ready 10:25 < teccc> https://gist.github.com/TecR0c/9d861fe6c93b3c0afaffce632d132302 10:25 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com) 10:26 < teccc> https://gist.github.com/TecR0c/12a9fb6f9e5fb4a6a996a8701a11a3d7 10:26 <@vpnHelper> Title: openvpn_client · GitHub (at gist.github.com) 10:27 < |Mike|> and the client config? 10:28 < |Mike|> !chroot 10:28 < teccc> ok one second 10:29 < |Mike|> line 10 and 11 are correct paths in your server.conf? 10:29 < |Mike|> Caveats: because chroot reorients the filesystem (from the perspective of the daemon only), it is necessary to place any files which OpenVPN might need after initialization in the jail directory, such as: 10:29 < |Mike|> the crl-verify file 10:30 < teccc> My laptop connects perfectly to the openvpn server 10:30 < |Mike|> with the exact same configuration? 10:30 < teccc> I am trying to make it so the openvpn client in dd-wrt can do it 10:31 < teccc> one second i will get you the client configs 10:32 < teccc> https://gist.github.com/TecR0c/d158e55745ac2d12bdaf9bbf375fe1b3 10:32 <@vpnHelper> Title: laptop_config · GitHub (at gist.github.com) 10:34 < teccc> https://imagebin.ca/v/3mwUH5pL3BUe 10:34 <@vpnHelper> Title: Imagebin - Somewhere to Store Random Things (at imagebin.ca) 10:34 < teccc> I just removed the hostname from the screenshot 10:34 < teccc> for field Server IP/Name 10:37 < teccc> |Mike|: I added TLS Auth Key, CA Cert, Public Client Cert, Private Client Key values as well from my working client file i use on my laptop 10:40 < DArqueBishop> "TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" generally indicates a networking problem. 10:42 < teccc> DArqueBishop: I can connect using my laptop tho 10:42 < teccc> both using the same internet 10:43 < DArqueBishop> (For the record, masking out the remote IP address on the screenshot was unnecessary.) 10:44 <@ordex> teccc: did you paste client and server logs already ? 10:44 < teccc> yes I pasted the client logs 10:45 < teccc> i'm trying to find the server logs 10:45 < |Mike|> can you ping the server IP from the dd-wrt router? 10:46 < teccc> my laptop is connected to the server 10:46 < teccc> i mean router wifi 10:47 < teccc> i can setup ssh on the server and try 10:47 < teccc> eh router** lol 10:47 < DArqueBishop> Is now a bad time to throw out the dd-wrt factoid? 10:50 < teccc> sorry back 10:50 < teccc> not sure if i missed anything 10:50 < teccc> i will try ssh into the router 11:12 < tecccc> hmm i can't ping the server 11:12 < tecccc> seems like icmp is blocked 11:12 < tecccc> can't ping from the laptop or router 11:13 < tecccc> and i logged into my router that has the server behind it and i can't see any settings to allow icmp 11:17 < tecccc> anything else i could try 11:21 < tecccc> syslog i can see some stuff 11:21 < tecccc> on the server 11:25 < tecccc> Jan 3 17:20:04 openvpn ovpn-server[649]: Authenticate/Decrypt packet error: packet HMAC authentic 11:25 < tecccc> ation failed 11:34 < tecccc> ok 11:39 < tecccc> I got the router openvpn cilent config 11:39 < tecccc> https://gist.github.com/TecR0c/31b5b6bc66a84cc5b80d41f12e2cba23 11:39 <@vpnHelper> Title: router_openvpn_client · GitHub (at gist.github.com) 12:31 -!- Case_Of_ is now known as Case_Of 13:26 < ca_cabotage> hey all, i've got a question - how dangerous is running an openvpn server with RSA-1024, SHA224, Certificate authentication, but NO encryption? And why/how is it dangerous? 13:28 <@ordex> ca_cabotage: it depends what you are protecting from 13:28 <@ordex> and what your goal is 13:28 < ca_cabotage> the reason i ask - I've had an OpenVPN server up and running for some time and it works great, but - I recently wanted to check out Steam In Home Streaming remotely, so I setup a TAP server. Latency is far too high with encryption - so i tried it with no encryption and it works great. But I'm not sure what all i'm transmitting in the clear by doing this? 13:30 < ca_cabotage> i'm not at all concerned that others can see that i'm doing steam in home streaming - i guess my concern was that since I have to open a WAN port for the Server to access, can someone sniff my certificate/authentication information and then access my network using that? - or really anything else nefarious. 13:31 < ca_cabotage> Basically i don't care about any activity that takes place over that particular VPN connection being private - since it will just be a bunch of steam streaming. I just don't want to be opening up my network to vulnerabilities by running an OpenVPN server without encryption 13:39 < |Mike|> !mitm 13:39 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config 13:39 < |Mike|> ca_cabotage: 13:45 < ca_cabotage> |Mike|, the server does use TLS key 13:46 < ca_cabotage> a 1024 bit key with SHA224 auth encryption 13:50 <@ordex> ca_cabotage: NO encryption in your config means that the data channel will be unencrypted. what happens on the control channel (including TLS handshake and key exchange) stays the same 13:51 <@ordex> the TLS handshake is made in a way that even if somebody sniffed the entire thing, he couldn't create a copy of the certificates. would be too easy otherwise ;) 14:02 < ca_cabotage> ok perfect, so nothing is inherently unsafe -network wise about not using encryption - just know that everything i transmit between networks will be in the clear. 14:05 <@ordex> well, that will expose you to other threat, but from the openvpn perspective you are right 14:05 <@ordex> *threats 14:05 <@ordex> ca_cabotage: btw, what cipher/auth options were you using when you saw the high latency ? 14:13 < ca_cabotage> ordex, I just tried AES-128-CBC, latency was high so I tried RC2-40-CBC, latency was still high so i went to none. Neither host nor client CPU is struggling even when encrypting/decrypting at much higher rates than steam streaming requires. I just assumed that there was still enough time spent on ecrypt / decrypt that it added enough milliseconds to cause problems with remote gaming. I'm honestly impressed 14:13 < ca_cabotage> that any type of remote gaming is doable - even over local wifi is very impressive imho 14:14 <@ordex> honestly I have no experience with steam/gaming over a VPN 14:15 < ca_cabotage> yeah, i'd never tried it before - was really just curious. i'm not even much of a gamer tbh 14:15 <@ordex> ca_cabotage: do you remember the "auth" you used? that is quite heavy compared to the cipher 14:15 <@ordex> some people set that to sha256 or sha512 which can impact quite a bit on embedded devices/routers 14:15 < ca_cabotage> auth, like auth encryption? SHA224 14:16 <@ordex> not for the certificate, but the in the openvn config 14:16 <@ordex> if you did set nothing then it should have been using the default (sha1) 14:16 < ca_cabotage> no i set it to SHA224 14:16 <@ordex> oh, in the openvpn config ? "auth SHA224" ? 14:16 < ca_cabotage> my router is pfSense on ESXi with 1vCPU of an i5. It's way overpowered for my network. 14:17 <@ordex> yeah sounds so :) 14:18 < ca_cabotage> yeah in the config it's auth SHA224 14:20 <@ordex> oh ok 14:20 <@ordex> but if now it's fine, I doubt it could be the problem 14:33 < ca_cabotage> any ideas on encryption algorithms that would be the absolute fastest? 14:34 <@ordex> normally AES on Intel CPU supporting AES-NI is quite fast 14:35 <@ordex> however it's possible that the latencyis coming from somewhere else and the encryption is just triggering it 14:41 < ca_cabotage> yeah, too bad - id rather use at least some encryption 14:44 <@ordex> I'd re-enable AES and I'd dig more into the cause 14:44 <@ordex> checking with ping where the latency is introduced 14:44 <@ordex> step by step 14:46 < ca_cabotage> yeah i'll give it a shot 14:46 < ca_cabotage> thanks for everything! 14:49 <@ordex> np 16:29 < BankZ> !welcome 16:29 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 16:29 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong, or (#10) see !1925 before arguing with the admins or the person helping you 16:30 < BankZ> !goal I would like to access the internet over my vpn 16:31 < pekster> For that, see: 16:31 < pekster> !redirect 16:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 16:31 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 16:36 < BankZ> !serverlan 16:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png 16:36 < BankZ> !ipforward 16:36 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 16:38 < BankZ> !route_outside_openvpn 16:38 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 17:26 < BankZ> so, I have a firewall/route issue, feeling dumb, I can connect to openvpn and ping the openvpn server but nothing else 17:30 < pekster> Where did you land in the flowchart? 17:31 < BankZ> lost ;) 17:32 < BankZ> hmm 17:32 < pekster> https://www.xkcd.com/518/ 17:32 <@vpnHelper> Title: xkcd: Flow Charts (at www.xkcd.com) 17:32 < BankZ> be back in 15, need to drop wife off 17:32 < BankZ> ha 17:45 <@ecrist> I forgot that has a FreeBSD reference. 17:52 < BankZ> ok, back, relooking at flow chart 17:54 < BankZ> ok, stupid question, I named my vpn device tun0, should I use tun or tun0 in server config? I have tun 18:56 <@ecrist> it depends 18:56 <@ecrist> if you just use "tun" openvpn will try to create one dynamically. This is usually OK unless you're trying to create firewall rules and such for a specific interface. 19:42 < BankZ> IIm feeling dumb, cant figure out why I can only ping my openvpn server and not other ips on my network, not sure how to setup the correct routes 19:43 < BankZ> I connect fne, just cant ping inet or internal ips 19:45 < BankZ> anyone want to help a noob? 19:47 < BankZ> im going to try a restart, brb 19:50 < BankZ-> dont think its going to work --- Day changed Thu Jan 04 2018 07:28 < lowin> Hey. I want to setup openvpn in my router in a way that each node behind the router gets it's own vpn ip address, Is there a way to achieve this with tun device? 07:29 < lowin> Like, somehow configure openvpn to give the router a pool of 100 ips that the dhcp server can use to give out to clients? 08:46 < Kobaz> having a problem with a routed vpn 08:46 < Kobaz> 'PUSH_REPLY,route 10.20.1.0 255.255.255.0,route 192.168.51.0 255.255.255.0,route-gateway 10.20.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.20.1.4 255.255.255.0' (status=1) 08:47 < Kobaz> client can ping 10.20.1.1 (server) 08:47 < Kobaz> and i'm pushing 192.168.51.0/24... and the client can't ping anything there... 08:47 < Kobaz> if i tcpdump icmp on the tunnel, nothing is coming in when the client pings 192.168.51.0/24 08:47 <@ordex> Kobaz: is the server properly configured to forward and route packets? 08:47 <@ordex> !serverlan 08:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png 08:47 < Kobaz> yes, but we're not there yet 08:48 < Kobaz> the client's traffic to 192.168.51.0/24 is not going through the vpn 08:48 <@ordex> maybe the client log with "verb 4 08:48 <@ordex> " 08:48 <@ordex> might tell why the route is not being installed? 08:48 <@ordex> (Actually did you check if the route is being installed at all?) 08:48 < Kobaz> the route is in place 08:49 < Kobaz> lemme get that 08:50 < Kobaz> 192.168.51.0 255.255.255.0 10.20.1.1 10.20.1.4 35 08:50 < Kobaz> (windows client) 08:51 * ordex has no experience with windows 08:51 <@ordex> but that seems correct 08:51 <@ordex> still, with wireshark on windows you see no packets directed to that network going through the VPN ? 08:52 < Kobaz> running tcpdump on the server-side 08:53 < Kobaz> Thu Jan 04 09:52:01 2018 us=522502 C:\WINDOWS\system32\route.exe ADD 192.168.51.0 MASK 255.255.255.0 10.20.1.1 --- ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4 08:53 < Kobaz> i can ping 10.20.1.1 just fine 08:57 < Kobaz> something is wiggity 08:57 < Kobaz> usually when there's an issue with actually routing packets, then it's something like openvpn not running as administrator 08:57 < Kobaz> but it's routing, the server subnet is reachable 09:09 <@ordex> Kobaz: I'd suggest to dump traffic with wireshark on windows to make sure that packets are actually going through the tunnel interface 09:09 <@ordex> if that's the case, then you know that routing on windows is set properly at least 09:14 < Kobaz> im gonna try with another client 09:14 < Kobaz> connect from a linux box and verify that's working 09:14 < Kobaz> then i can narrow it down to either config, or windows 09:14 < Kobaz> i've set up a bajillion of these, i dont think the config is wrong, but, never know 09:21 <@ordex> if the route is there, I don't think the config is wrong either 09:48 < Kobaz> yeah 09:48 < Kobaz> sounds like a windows fsckery 09:53 <@ordex> yeah 13:21 < adrian_1908> Howdy. Does anyone know from experience whether`remote-random` randomizes a list of fixed IPs? Or is it designed with remote domains in mind? 13:23 <+rob0> IIRC it's whether to cycle in order through multiple --remote lines or to go at random through them. 13:23 <+rob0> see --remote-random in the manual 13:25 < adrian_1908> For my version, that reads "When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure." 13:26 < adrian_1908> I'm not 100% sure how that translates to the configuration file. But it's possible that it always tries the first IP, and only randomizes the second server it tries to connect to (if the first fails). 13:26 <+rob0> okay, so more or less that was right. Randomize once, then cycle in order through that list. 13:27 <+rob0> Sounds to me like you don't know which one is first with --remote-random 13:27 <+rob0> this would be trivial to test 13:28 <+rob0> start a client, see where it goes, kill & restart it, lather rinse repeat 13:29 <+rob0> if it always goes to the first IP, you're right (but check what IP addresses any given names resolve to) 13:30 < adrian_1908> I have set up my client as a service with multiple fixed IPs followed by remote-random but keep getting the same IP since weeks. I'll try manually with the client and see if that tells me more. 13:30 < adrian_1908> Ok, bye for now (since this will kill my connection anyway) :) 14:52 < alker> how to setup a openvpn server with vpn connected already? 14:52 < alker> i want to setup an openvpn server on server1 which is connected to server2 with vpn 14:53 < alker> when client connects to server1, browsing website shows ip of server1, not server2 14:54 < alker> tcpdump on server 1 shows that website browsing request is never sent to server2 14:55 < alker> what route do i need on server1 if i want that when client connects to server1, browsing website uses server2's 15:39 < cmanns> Hi is there any server appliances to easially deploy OpenVPN server/client configs with a GUI 15:39 <+rob0> !as 15:39 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 15:39 <+rob0> ^^ you might want to ask there 15:41 < cmanns> that'd be commercial only yes? 15:57 <+rob0> cmanns, yes, I think the integrated GUI is one of the selling points of AS. 16:58 < davidebeatrici> Hi 16:58 < davidebeatrici> How can I disable push-peer-option? 17:06 <+rob0> my manual doesn't have --push-peer-option 17:07 <+rob0> my manual *does* have --push-peer-info, is that what you meant, or just --push