Re: [Openvpn-users] [pfSense] how often to rekey for shared secret site-to-site
On 08/06/13 01:05, Eugen Leitl wrote: > Is there a policy how often one should change shared secrets > for OpenVPN shared site-to-site? There is no easy way to answer that beyond "often enough for you to feel confident in the integrity of the system" Why aren't you using certs? Certs have the advantages of providing harder to crack data protection, are able to be revoked, and easily allows you to ensure you use different certs per site-to-site connector. In previous roles, I've seen a tendency for network engineers to use the same pre-shared keys for multiple site-to-site links - which means that if they ever had one of their routers stolen or otherwise compromised, they'd have to change that pre-shared key on every WAN link that used the same key (compare with simply revoking a single cert). However, from a data protection perspective I think pre-shared keys are used as the encryption key for all traffic (ie governments can brute force the key given enough data and time - and if they can be bothered of course ;-), whereas certs allows openvpn to form a "key exchange" channel over which a temporary randomly generated pre-shared key is exchanged - which is then used for the next "--reneg-sec" seconds - and then the entire process is repeated. This limits the ability to brute-force as the amount of traffic that can be captured with that key is "small" (thereby breaking statistical assumptions all brute forcing relies on to reduce runtime) - and breaking and decrypting that traffic does not help decrypt the next blob of traffic (ie it's about as good as it gets) Hopefully I haven't blown cover by saying too much that's incorrect there - I'm sure someone else will let us know if I have! ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with intermediate CA
On 02/07/13 20:07, Gert Doering wrote: > Out of curiousity, as I've seen this mentioned a few times but never > read a reason for the hash-thing - how does openvpn (or apache, etc.) > know the hash for the CRL file to look for, when it hasn't seen the > CRL yet? gert All CRL support requires your servers to download the CRL via some schedule. Most parse the CA or server cert (which should contain either LDAP or HTTP urls to the CRL files) and download the CRL file at some interval < the lifetime of the CRL. *Then* you'd hash it, etc. We have openvpn and client-cert protected web servers all over the place, all downloading CRL files every hour from the CA. The CA itself re-makes the CRL every hour, but with a 24 hour lifespan, which means we can take several hours of outages on any CRL component before our servers start rejecting valid connections... (you gotta think that part through - otherwise you will get burnt) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Logs contain multiple "bad source address packet dropped" lines
On 05/07/13 13:32, joshua gross wrote: > I have seen this on even Mac and Linux clients when the tunnel first comes > up. > > As well we control the windows client. Anything we can do to fix it in that > case? > This concern with that error message shows up continually. Couldn't it just be removed from the code, or pushed down to some lower logging level so that most people don't see it? Or at least have " (probably nothing to be concerned with)" added to it. :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OTP re-auth solution?
On 11/09/13 12:34, Michael Ludvig wrote: > We used to do cert-based authentication which was good because on > connection drop it re-authenticated without any user interaction and > often users didn't even notice. Now that we moved to OTP users > rightfully complain about the lower comfort. Is there > I think you're asking a bit too much :-) Either your mandate is to implement an "extremely" high security solution (in which case tokens are the only option IMHO), or your mandate is to implement a "very strong" security solution - in which case client certs by themselves absolutely do the trick (certs on tokens I place into the "extreme" category of course) So if you *have* to use tokens, then user-annoyance is probably a side-effect that cannot be avoided. If you're willing to hack, you might have been able to do something where client certs are used to establish the tunnel, but firewall acls on the gateway quarantine the client until they go to a web page and authenticate using the OTK. Then that clientcert+IP combination could be whitelisted for the next 'n' hours - something like that. Majorly hacky and I don't know of any other product with that kind of option. As far as I'm aware, if you're doing OTK, the expectation is you are using it every time you connect - just like you're currently seeing... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Possible to drop port scan packets?
On 25/09/13 11:16, jack seth wrote: > Thanks for the response. Yes I have that implemented. I am running > both a TCP and UDP server. Of course it is the TCP that is replying. > Actually the port is listed as 'closed' but I want it to appear as > 'stealth' (i.e. no response). Just to reiterate - you can't do that with any TCP application. By *definition*, TCP/IP requires a 3-way packet transaction before any client (like openvpn client) can even begin to talk to it. So if you want openvpn to run over TCP, then you have to accept that anyone can "know" you have something running on that port. Of course, they won't be able to tell just what TCP service is running on it (it isn't smtp, http, https, etc) - but they will know something's there PS: either your scanner is broken, or you actually don't have it running on TCP. If scanning a TCP port returns "closed", that 100% means there's nothing running on it (ignoring firewall rules that limit by ip address). It *must* return "open" for any of your openvpn clients to ever be able to use it -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn
On 07/10/13 04:07, Luis Daniel Lucio Quiroz wrote: > Port 53/udp is risqui since I have found some ISP's block udp packages > logner than 512 bytes > moving to port 443/tcp it seems to be most easy, since they will only > see TLS negotiation, I think that's the best bet too - but to be precise, openvpn doesn't do standard TLS negotiation (at least if you are using tls-auth as you should be) - so some layer7 firewalls could potentially even block openvpn on tcp port 443 - however, most don't :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Security
On 17/10/13 02:42, Les Mikesell wrote: > Banking transactions would normally be done over https - which uses > ssl. Openvpn would add another layer over the open wifi hop, but I'm > not sure how much that adds to the security. For one thing it stops MITM attacks. Most people are naive and if they're on an untrusted network and someone MITM'ed their bank connection, they will click through the browser "don't trust this website" warning and bam - they've lost their bank creds. Forcing users through openvpn puts them on a trusted network where such skulduggery doesn't happen (and you could have AV proxies and other such stuff) ...of course, if the untrusted network is truly 0wneD, it could break openvpn, leading to the annoyed user disabling openvpn in order to get a working Internet connection and - well - see the first sentence ;-) You can try to engineer yourself a foolproof system, but the Universe can always engineer a better fool -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Security
On 17/10/13 10:24, Sumit Dahiya wrote: > MITM attack is exactly why I'd like my users to go through OpenVPN. > > So I am hearing MITM (for general internet browsing) becomes more probable > if my server does not use the directive "redirect-gateway def1 bypass-dhcp" > vs. if it were using it, correct? > Yes it is more likely, but it's 0.0001% more likely (or not: maybe more or less) Give it a try and see how it goes. No-one can actually answer this question for your situation - only you can decide if it's appropriate or not -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Security
On 17/10/13 10:32, Les Mikesell wrote: > Yes, but if someone can MTM the https ssl, why couldn't they do the > same for openvpn's ssl? Because the IT group responsible for pushing out VPN client onto laptops wouldn't allow the entire validation component of SSL to be subverted. That is the fundamental difference: browsers rely on *users* doing the right thing, whereas VPN's relies on *IT groups* doing the right thing. You are correct that both VPNs and HTTPS approach the same level of functionality in terms of protection - but in practice that does not happen. ie I hear about hackers stealing money from bank accounts, I don't hear about hackers breaking into VPN tunnels, and using that to steal money from bank accounts. I guess it does happen - but it would be 99.999% browsers/0.001% VPNs? > Is there more than the obscurity of using an unexpected port for the > traffic? And, on the flip side, if the user is really paranoid, why > should he trust the VPN host to not do the same, since they become > another point that can intercept both sides of the conversation? Sorry, I don't get the "unexpected port" comment If you are vpn-ing into an organization, that implies some form of trust - certainly more than anyone should have for any Starbucks Wifi connection (especially with that chap with a laptop in the corner with the "w00t!" tee shirt). I certainly assumed the original poster represents an *organization* trying to protect *the organization's* laptops and users -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [PATCH] Make code and documentation for --remote-random-hostname consistent.
What feature does "--remote-random-hostname" give you that having a 10second TTL on one DNS record wouldn't? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
The way I look at it (and hopefully I'm correct - I've never used tap so I haven't tested that), "tun" interfaces are like traditional physical point-to-point WAN links - and one WAN link cannot see the traffic from another WAN link. Similarly, "tap" interfaces are equivalent to a *switch* - not an old-fashion *bridge*: one device plugged into a switch cannot see the traffic flows of another device (except for broadcasts - which is the only reason you'd use tap anyway). Of course - as Gert mentioned - taps do suffer from the same security issues as switches, you can subvert that general rule by doing tricks with arp spoofing/etc. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] doubts about possible sniffing
There's a lot of good chatter going on about this topic, but at the end of the day all that matters is whether any of this *conjecture* is real or not. Someone actually using TAP mode and interested in this subject should actually *test it* and see what happens In the immortal words of djb: "profile, don't speculate" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Iperf over TCP tunnel
On 05/06/14 08:01, Erik LE VACON wrote: > I don't know the distance btw your two points, but remember that the > RTT has a huge impact on your bandwidth, especially when we are > talking about thousands of kilometers. iperf can actually do that too via the "-P" option ie "iperf -c server.name" measures throughput, whereas "iperf -c server.name -P4" measures bandwidth (ie push 4 sessions in parallel normally saturates a WAN link, if not, try 8, 10, etc until you do) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN and Multi-Core processor
On 05/08/14 08:36, Gert Doering wrote: > "Nobody did the code yet". > > This is a complex problem. You need a programmer that understands > parallel processes or threads, network, security, and is willing to > spend quite a bit of personal time on it - implementation, code review, > testing. I think it can be hacked into place (with the right choice of OS of course) I've effectively "multi-processor"-ed openvpn by running multiple copies on different ports, and then using iptables to round-robin new connections onto those backend services. ie on a 4-core processor, have 4 copies of openvpn (well, I actually have 8: 4 for udp and 4 for tcp) running. The trick is to use "client-connect" to enable you to use a shared ip pool amongst the different instances, but it seems to work well (I haven't tested it at load, all I know is that incoming users are allocated different openvpn processors and it all seems to work) eg iptables -A PREROUTING -i eth1 -p udp -m udp -m multiport --dports 443,500,1194,4500 -j DNAT --to-destination srv.ip.addr:3000-3003 --random iptables -A PREROUTING -i eth1 -p tcp -m tcp -m multiport --dports 1194,3389,443 -j DNAT --to-destination srv.ip.addr:3000-3003 --random That enables a complex openvpn client config that can iterate through a range of UDP ports and then TCP ports before giving up, and any that are successful at getting out whatever local firewall they have are then redirected onto local ports 3000-3003: each of which have a separate copy of openvpn running I use client-connect to give a local shared ip pool and in fact make the addresses "sticky" - ie you always get the IP address you got the first time you connected. Obviously the pool would always need to be bigger than the maximum number of clients - but that isn't a big deal on our 10/8 network. This is the biggest thing I love about openvpn: the scripting triggers it supports. You can basically make it do anything :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN and Multi-Core processor
On 07/08/14 00:12, David Sommerseth wrote: > What is CPU intensive is when asymmetric encryption comes into play, > with the key exchanges and other negotiations etc. I sooo have to agree with that. Back in the day I could notice even with only TWO clients how openvpn would completely HANG during key renegotiation! ie I'd be SSH-ed into some work server via openvpn, happily typing away, the second client would connect and WHAM! total freeze for 5+ seconds. Which is why I changed our reneg-sec from 3600 to 36000 (ie ten hours). If we had 100 simultaneous clients, I'd even think of increasing that yet again. The theoretical risk of someone actually brute forcing a key in that time window is still nearly infinitely less than the actual impact of key renegotiation on openvpn -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN and Multi-Core processor
On 08/08/14 03:24, Jan Just Keijser wrote: > I would also opt for function handlers/pointers per connection - that > way you could server both udp+tcp from a single server instance Yes - having one server instance managing both udp and tcp AND being able to handle multiple ports should be part of any rewrite. We have found there are tonnes of different firewall variables in (client-end) networks we've come across - so currently have several openvpn instances running on the same server to maximize success rates. Having all that handled by one instance would be much simpler (with threading or forking - don't care - not a programmer ;-) If we're asking for ponies, can I also have one that can do some form of latency test first (in the case of DNS resolving to multiple server IPs) so that clients go to the "fastest" server? I'd love to have a single client config that would give users the best performance by default (by taking them to the openvpn server closest to their current location). Within our Cisco VPN environment - where the GUI shows users all our VPN gateways - users (if left to their own devices) will typically chose the FIRST one and then stick to it - even if they are travelling to other countries. We have gateways all over the world and users typically don't use the optimum one - they use the one that "worked last time". And then they complain how slow VOIP is over it ;-) In the words of immortal Devo: "Freedom from choice: is what you want" ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] how to use --push-peer-info?
Hi there I simply can't get it to work. I have openvpn-2.3.4 client for Win7 talking to a CentOS-6 openvpn-2.3.2 server and "push-peer-info" is set in the client. However, even though I have both tls-verify and client-connect set to scripts on the server, which contain "set > /tmp/file" to dump environment variables, there's no such details from the clients getting through Have I missed something? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] how to use --push-peer-info?
On 21/08/14 21:11, Gert Doering wrote: > push-peer-info data is visible in the server logs only in "git master" > openvpn versions (and 2.4 will have it, of course). If you want to see > it in 2.3.2, you need to talk to the management interface. gert OK, how do you do that? I've connected to the management port and went through the options that "help" showed - nothing seemed to show me such details? (eg "status 2") -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] how to use --push-peer-info?
On 21/08/14 23:29, debbie...@gmail.com wrote: > Please see this post: > https://forums.openvpn.net/topic15625.html > OK... So it looks like it only works if you use password authentication (which we don't) and that the server uses "management-client-auth" to achieve that? Well that means I'm out of luck then ;-) It does seem like git master has been patched so that this peer-info is now available via env variables as well - so if we jump into the development unknown we could use the feature: I think we'll just have to pass ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] how to use --push-peer-info?
Well that was basically painless Now I see the following is available to scripts called on the server, nice :-) IV_HWADDR=52:54:00:ff:72:87 IV_PLAT=win IV_SSL=OpenSSL_1.0.1i_6_Aug_2014 IV_VER=2.3.4 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] confusion over udp "fragment"
Hi there I'm on an "openvpn optimization drive" (ie it's all working great and I'm trying to squeeze more greatness out of it) and reading the Internet (took a while ;-) leads me to a confused state on the usefulness of "fragment". There are several postings by long-term openvpn gurus who seem to lead their diagnostics of other people's openvpn connectivity problems with "remove the fragment option". I, on the other hand, have found that I have NEVER got openvpn-over-udp to work without it! It looks to me like it cannot even get through the initial negotiation phase without fragment being enabled at both ends (I use 1400 - but that's just a lazy guess that works) In fact, I just did a related test. I removed "fragment" from the server and only set it on the client - end result, NO CONNECTION. Put that one line back (identical fragment values of course) and it all works again So I have two questions. 1. it looks to me like fragment is always needed for UDP. If so, shouldn't that be declared more strongly (maybe even error-ing on configs without it). 2. shouldn't both ends negotiate the fragment option and both ends should use the *smallest* value (or maybe "fragment automatic" as an option to achieve it), so that the server can have it disabled, and the client (where fragmentation issues are vastly more variable) can control it. However, my test makes me think that maybe even openvpn negotiation can create packets big enough to break negotiation? (ie that option has to pre-date the initial connection) I know some people may come back with comments about there being "something" on our network that is screwing with things, but that's the point - I know everything about our server on our work network and everything about (say) my client laptop on my home network - but there's a vast range of "Internet" between the two that I know nothing about, so it's not worth mentioning ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] is it safe to let all clients negotiate tls-ciphers?
Hi there I've seen a few people claim it's "more secure" to force the clients to use stronger ciphers via the "tls-cipher" option: it's stops MiTM attacks from spoofing lower-quality connections. However, surely that depends on when the negotiation occurs? If it occurs after the TLS auth section, surely that would have picked up the MiTM and ditched the connection anyway? And what about "tls-auth"? We use that, so wouldn't that have break MiTM anyway? What I'd rather do is keep the clients as "open" as possible and make as many cipher/etc decisions as possible on the server, so I'd rather not define tls-cipher on the clients, only the server. So am I correct in saying that an openvpn network using tls-auth plus client certs should be effectively immune to MiTM attacks, thereby making it OK to leave as much decision making as possible to the server? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn logout time?
On 03/09/14 10:05, David Sommerseth wrote: > Just to explain --explicit-exit-notify slightly more. This is a > client-side option, which will notify the server when the client > disconnects. Otherwise the server will keep the connection state open > until the connection times out (defined by --ping-restart). Caveat on that: "--explicit-exit-notify" means when openvpn *formally* shuts down, it notifies the server that it is doing so. If you come along with a Big Hammer (as I'm prone to do) and "kill -9" your openvpn process, then it dies outright and never gets to send the "I'm shutting down now!" message :-) So in that corner-case you still have to rely on the server "ping-restart" setting for it to be able to detect that the client isn't there anymore. TCP - being below openvpn - doesn't suffer from this issue of course, the server always sees the TCP FIN/RSET packet and "knows" the client is no more. > > But instead of parsing the log file, I would rather recommend looking > at the --client-connect, --client-disconnect and/or --learn-address > script hooks for more advanced ways of connection tracking. Couldn't agree more. You really need to use "client-connect" and "client-disconnect" so that you can create START/STOP records - they are the only things that really get it right -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn logout time?
On 03/09/14 10:56, Mathias Jeschke wrote: > If you use the "hammer", the machine is not able to send a TCP FIN, I don't think that's the case. "Hammering" a user process does not influence how the TCP stack operates (kernel space vs user space) - it would generate a TCP reset. Of course, unplugging the Ethernet cable would do what you're saying. No matter what way you look at it, you need to rely on "ping-restart" to pick up the corner-cases :-) I'm just dealing with another corner case. Clients who disconnect and reconnect before the server realises the first disconnect happened. So even "--client-connect" "--client-disconnect" cannot save you from seeing things out of order, eg 1. client connects, server triggers --client-connect 2. client disconnects harshly (not triggering --explicit-exit-notify) 3. client connects, server triggers --client-connect 4. server realizes client has disconnected I had some "cleanup" code in "4" which meant the server turned around and killed the "3" instead of the "1" - not what I wanted ;-). Still - all fixable thanks to the wondrous scripting options openvpn gives us :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] macox dns help for a novice?
Hi there I'm trying to get openvpn working on a Mac client for the first time (tun mode), it's all working at the IP layer, but I want to get the "scoped DNS" bit working too: ie tell the Mac to send DNS lookups for *.company.domain through the tunnel to corporate DNS servers, and use the default interface DNS for everything else I found openvpn-tun-up-down.sh on the Internet which seems to be *almost* correct, but it doesn't quite work. It uses scutils to reconfigure DNS, but I ended up with "company.domain" set against the default DNS instead of the tunnel's DNS settings. It was written in 2006 so maybe it doesn't work on the newer OSes? Anyway, has anyone out there found out how to do this and is willing to share? :-) Thanks! PS: I'm using this http://openvpn.net/archive/openvpn-users/2006-10/msg00120.html -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] macox dns help for a novice?
On 04/09/14 01:05, Jonathan K. Bullard wrote: > As the current Tunnelblick developer/maintainer, I appreciate Gert's > kind words, but Tunnelblick does not do split DNS either. I've never > been able to get it working -- in fact, I am hoping someone will > respond to Jason's post with information or code so I could add this > ability to Tunnelblick! Well that is depressing! :-) It must be *nearly* working. At home, after openvpn connects back to work and "--up" runs openvpn-tun-up-down.sh, my DNS is altered such that root# scutil --dns DNS configuration resolver #1 search domain[0] : corporate.domain search domain[1] : home.domain nameserver[0] : 192.168.248.3 DNS configuration (for scoped queries) resolver #1 search domain[0] : home.domain nameserver[0] : 192.168.248.3 ... resolver #2 nameserver[0] : 10.1.1.2 nameserver[1] : 10.1.2.1 if_index : 10 (tun0) So from what I can see, the only thing that needs to be done is to take "corporate.domain" out of "resolver #1" from the "general" section, and put it down into "resolver #2" in the "scoped" section. I'm not a Mac person, but I interpret this as meaning when I do "nslookup blah.corporate.domain", the Mac sends it to "resolver #1" instead of "resolver #2". Once that is fixed, it should all work? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Windows service mode doesn't seem to restart on timeout properly
Hi there I've got openvpn-2.3.4 under Win7 running. Works fine - except when there's a network change... I have "verb 3" enabled and the log ends with Thu Sep 04 15:42:09 2014 [dns.host.name] Inactivity timeout (--ping-restart), restarting Thu Sep 04 15:42:09 2014 C:\WINDOWS\system32\route.exe DELETE 12.3.1 MASK 255.255.255.255 192.168.22.1 Thu Sep 04 15:42:09 2014 Warning: route gateway is not reachable on any active network adapters: 1.2.3.1 Thu Sep 04 15:42:09 2014 Route deletion via IPAPI failed [adaptive] Thu Sep 04 15:42:09 2014 Route deletion fallback to route.exe Thu Sep 04 15:42:09 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu Sep 04 15:42:09 2014 Closing TUN/TAP interface Thu Sep 04 15:42:09 2014 ..\scripts\down.cmd openvpn 1500 1546 1.2.3.25 255.255.255.0 init Thu Sep 04 15:42:09 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem This machine changed from Ethernet to WiFi and got a new IP - which meant that openvpn's tunnel would have hung and "ping-restart" should have ensured it noticed and got a new tunnel up. I see "ping-restart" triggered, but nothing happened afterwards - no sign of it attempting to make a new connection. The routing errors are expected, I'm hoping they are not the cause of the issue as we've got some weird routing for a reason ;-) I did a "net stop 'openvpn service'", but could see openvpn.exe was still running. Couldn't do a "net start" because of it. If I manually kill openvpn.exe, then I could "net start" and immediately the tunnel comes up from scratch and everything is good again It seems like openvpn.exe is "hanging" because it doesn't loop around and retry making a connection - like it does on our Linux clients. Very odd. The log shows no real error that I can see - it simply seems to be sleeping without doing anything? BTW I download this logfile an hour after the client tunnel disappeared after the IP change - the last line in the logfile was an hour old - so there's no sign of openvpn doing anything since. Any ideas? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] macox dns help for a novice?
Actually, things weren't as bad as I thought - that "--up" script does seem to work after all! My mistake (I did say I was a Mac novice!) was that I *assumed* "nslookup srv.corporate.domain" would work - well it didn't. What I didn't check was that "ping srv.corporate.domain" does work :-) i.e it looks like the Mac's resolver library (which most apps would use) does point particular DNS queries at the internal-over-openvpn DNS servers after all. It's just that pure DNS tools like nslookup cannot make use of it So it looks like it works to me? Jonathan, you should take another look at that script and confirm/deny? PS: Ubuntu's insistence on using dnsmasq and always making the DNS server 127.0.0.1 totally solves this problem 100% of the time for all applications - why can't the OSes be as smart :-) On 04/09/14 01:05, Jonathan K. Bullard wrote: > On Wed, Sep 3, 2014 at 8:37 AM, Gert Doering wrote: >> On Wed, Sep 03, 2014 at 06:41:17PM +1200, Jason Haar wrote: >>> Anyway, has anyone out there found out how to do this and is willing to >>> share? :-) >> I have no direct answer, but maybe using Tunnelblick instead of "raw >> openvpn" would just solve this for you? (It's a very nice MacOS gui >> that bundles openvpn - just like the windows gui bundle) > As the current Tunnelblick developer/maintainer, I appreciate Gert's > kind words, but Tunnelblick does not do split DNS either. I've never > been able to get it working -- in fact, I am hoping someone will > respond to Jason's post with information or code so I could add this > ability to Tunnelblick! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows service mode doesn't seem to restart on timeout properly
On 05/09/14 00:22, Gert Doering wrote: > Does it work if running from the GUI? The error messages should not > prevent a restart... so I'm a bit puzzled what is wrong. gert Well that was good advice. There was a bug with our "--down" CMD file. It errorred when the tunnel went down on "--ping-restart". In the GUI, the error is picked up (and shouted from the roof tops) - the logfile ends saying this error occurred, but when the same thing is done from a service, it *does not*. Something blocks it - which is probably why if openvpn is run as a service it fails to restart? So obviously I fixed the down script and now running as a service is moving happily between IP addresses, but is does look like a minor bug? Thanks again for the suggestion! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] blocking issue with management port
Hi there We just rolled out a test version of a new client "--up" script for 4 Windows users running openvpn as a service and it was borked. The script had a bad exit value and so the client would connect, run up.cmd, error and disconnect. Then sleep 5 seconds and do it all over again End result was with just 4 clients in that state, the management port on the server became unusable. Some times you could connect - getting the banner - but any command you sent would just hang and never return. Other times it would connect - but you wouldn't get the banner, and other times it couldn't even connect! Fixed the clients, they reconnected and got working connections, and then the server came right all by itself Having the management interface going "lala" like that was a bit of a shock: the server itself actually uses that API during connection phase for some sanity checks - and they would fail once it stopped working, which in turn made the problem worse. This was openvpn-git - built a couple of weeks ago, so it's pretty fresh. I had "verb 5" enabled and didn't see any error that implied a problem, but the connections were in a real state. I'm guessing there's some kind of blocking problem occurring when a client successfully connects and then immediately disconnects? Somehow that causes the management interface to pause, not knowing what to do next? This was UDP (but with explicit-exit-notify 2) Any ideas what I can do to stop this happening again (besides better QA on our "up" script ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] blocking issue with management port
On 18/09/14 19:42, Gert Doering wrote: > Are you frequently connecting and disconnecting to the management port? Yes. As part of the server's "up" scripts, we call the management interface to grab some details not available via environment variables. So there was a fair amount of "echo status|nc 127.0.0.1 xxx" calls going on during this error condition with the clients > That seems to be racey, if clients and management client disconnect at > the same time - the management interface is really designed for > long-lasting connections to it, as in "start up openvpn, connect to > management interface, keep that around until openvpn ends". Doesn't > mean we shouldn't fix the races, but this is why stuff might fail if > used differently. gert Right. I'm certainly not using it as a long-term connection, all cut-n-run. I'll look to see if I can remove some of the calls, that should help -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] multiple clients with same cert leads to problems
Hi there I've got a corner case I've picked up during testing that makes me wonder if there's a bug in openvpn Our openvpn server "tests" incoming clients to ensure they comply with our openvpn client standards - killing their session if they don't (basically client-less NAC). One thing we're doing is allowing "duplicate-cn", but using our NAC test to reject clients using the same cert (get better logging of the offenders that way). Anyway, I have a Mac and Windows box set up to use the same cert to test this, and it causes an interesting situation... First client connects, second client connects, NAC script notices the same cert in use and kills the first connection. Second client later hangs up. If I then look at the first client hours later, it still thinks it's logged in! There is no error, it still has the tun interface up, but no traffic flows. The server shows no connection via either client (I use the management api to confirm that) We use "--ping", and tcpdump confirms the first client and server are still exchanging packets - but the server does not classify the client as being connected. But as the openvpn pings are still working, the client doesn't know it's actually disconnected. A simple "kill -HUP" on the client fixes everything as it forces a full restart So I have two questions: 1. The client uses "explicit-exit-notify" - but it looks like using the kill management command on the server does not tell the client it is hanging up? Wouldn't that be a good idea? 2. The fact that ping is still working makes me think that means ping must be *separate* from session management? Isn't that a bad idea? Hopefully I'm wrong and someone will tell me I'm doing it incorrectly :-) server is 2.3_git, and this is over UDP of course (I doubt this is an issue over TCP, although I haven't tested) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN in China
On 24/10/14 08:54, Michael Deynet wrote: > Hello, > last week I had a trip to china and I used OpenVPN. OpenVPN worked > well but looking into the server logs I'm a little bit confused. > After the VPN connection was established from the hotel IP > (116.6.x.yy) another IP tried to connect to the VPN, too (every time a > used vpn, not only once). Can anyone tell me what exactly happend? Is > there a security problem with the VPN server? Looks to me like something is trying to check out the servers that hotel's customers connect to. I can't tell if this is UDP or TCP or even the port, but if you were running openvpn on tcp port 443, this could be a SSL intercept proxy trying to get your HTTPS public key so it can do man-in-the-middle against your "HTTPS" connections Obviously that wouldn't work. As long as you've got tls-auth in use, I think you're good to go :-) SSL intercept I could understand as almost "normal" behaviour these days (ie ignorable). However, if your clients use UDP, this would smell like a pretty serious effort to gather information about what that hotel's customers connect to (or you in particular...). The complete non-relationship between the two IPs also means it could be the Great Firewall of China is doing this - it doesn't necessarily have anything to do with the hotel. Certainly interesting :-) PS: of course it could also be a coincidence. Our openvpn routers get hit by bots all the time - precisely because we have it running on HTTPS port. So a bit of luck in the timing could end with logs implying a correlation between a client connect and a bot that really doesn't exist -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] spelling out how Windows does DNS lookups with a VPN tunnel
Hi there I just got whacked with a Win8 client running openvpn having a "where do I get my DNS answers from" issue, so I just wanted to ask what explicitly happens WRT DNS so that we all could understand the process better. So this is what I think happens with Windows clients using openvpn tunnels from (say) a "home network" (although I'd suspect the same goes true for all VPN tech) 1. Windows computer has a single working network connection, with DNS pointers (we'll refer to them as "Internet DNS servers") 2. openvpn starts and uses Internet DNS servers to get IP addresses of openvpn router and connects to it. The server then pushes down what the "Intranet DNS servers" for the remote site are (eg company network) 3. from now on, the Windows machine will do DNS lookups via sending *all* requests to the *Intranet* DNS servers. Only if the *Intranet* servers *don't* respond (note: "no such host" is a response) would it retry using the *Internet* DNS servers. ie when the tunnel is working, all DNS queries go over the VPN 4. eg "intranet.company.dns" would resolve, whereas "local.home.network" would not, or would resolve to the Internet address if it exists (because the Intranet DNS servers were used) and "www.google.com" would resolve and give the same IP address regardless 5. if the tunnel goes down, openvpn would retry connecting - possibly using the Intranet DNS servers - which would timeout. So it would retry and by then Windows would finish tearing down the tunnel enough to mean the Internet DNS servers were now the only option - so that would work and therefore go back to "1" Does that sum it up? A lot of the time the problem is that what people want is for the local Internet DNS servers to be used for all DNS *except* the DNS domains pushed down via the openvpn server - but I don't think Windows supports that. Under Ubuntu (which always uses dnsmasq via 127.0.0.1 for all DNS), this is manually achievable: I have dnsmaq override files to tell dnsmasq to forward queries for "*.company.dns" to the appropriate intranet DNS servers irrespective of the state of the openvpn tunnel (ie they'll fail if it's not running, but that's OK because they'd fail anyway) Have I got it correct? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] spelling out how Windows does DNS lookups with a VPN tunnel
On 15/11/14 23:10, Jan Just Keijser wrote: > I'm not sure exactly how it works in Windows 8, but in older versions > of Windows there's the dns caching service which caches results. When > an OpenVPN client connects the new DNS servers are not picked up > immediately - sometimes a > net stop dnscache > net start dnscache > is needed for Windows to pick up the new servers. I am not sure if > this still applies to Windows 8, but IIRC the commercial OpenVPN > client did exactly this (net stop + net start). Actually it ended up being a red herring. Unknown to me, the openvpn server was set up to push routing 192.168/16 over the tunnel - and the Win8 host was on a 192.168 network with a 192.168 DNS server. That should never have been done - we want "split tunnel" and so we only route 10/8 over the tunnel (and yes it would still break for people using 10.* at home - but we can live with that corner case) Once the ccd/DEFAULT was changed to remove 192.168 and the machine reconnected, their local DNS started working again and now what we see is as follows 1. Windows computer has a single working network connection, with DNS pointers (we'll refer to them as "Internet DNS servers") 2. openvpn starts and uses Internet DNS servers to get IP addresses of openvpn router and connects to it. The server then pushes down what the "Intranet DNS servers" for the remote site are (eg company network) 3. from now on, the Windows machine will do DNS lookups via sending *all* requests to *all* DNS servers. The first server to respond with an answer wins. Note that "nslookup" will only use the default DNS, whereas "ping" and applications will correctly go through both the Internet and Intranet DNS before giving up I used wireshark to prove this. It's really good but does leave the corner case that looking up the name of (say) a company website that exists on the Internet and on the intranet (with a NATed address) becomes a bit of a "flip the coin" event in regards to what value is returned. If your VPN DNS servers resolve it quicker than your Internet resolver, we'll get the 10.* address - otherwise the Internet address. That will cause confusion in some situations Still - it's better than I hoped for :-) PS: yes, Win8 has a "DNS Client" service. So does Win10 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ssh over OpenVPN incredibly stable
On 20/12/14 00:47, Jan Just Keijser wrote: > packets and wait for answer (for a certain period of time). So, if > your home internet connection drops out for , say, 20 seconds then the > OpenVPN connection remains intact and so will all TCP-based sessions > that are running over it. Don't be so modest. I run openvpn as a service (ie it's always running) and when I'm at home, I'm always logged into 5-10 SSH sessions open at work (via openvpn). I then suspend (ie sleep) my laptop and go to work - 20-60 minutes. I then un-sleep my laptop, it gets an entirely different local IP, openvpn reconnects to the vpn router, gets the same IP it had when at home and lo! my SSH sessions are still there and still respond. I can have SSH sessions last *weeks* with me shuttling between home and work every day. Awesome :-) BTW: you need to have sticky openvpn client IPs for that trick to work of course -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Yosemite mDNS issues
On 24/12/14 08:42, Sebastian Buks wrote: > What is even more strange is that I have seen it been connected a few times, > so there is some randomness to it. Has anyone else seen this issue or had > issues with Bonjour and Yosemite? My guess would be that if you do see it "randomly" work, and you know that openvpn's config hasn't changed throughout those events, then it has to be a software problem - not a network problem The whole mdns thang seems "buggy" (to put it politely), even Microsoft gave up on broadcast based technology (remember WINS?) and settled on DNS. On top of that, I just struggled through getting my new Chromecast to even work on 3 different wifi networks - broadcast based issues again... (btw: multicast == broadcast in this email ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows 7 + Windows 8 (and Vista) - tunnel fails after resume from Sleep/Standby
I ditched using openvpnservice for precisely this reason and instead have had great results using nssm (The Non-Sucking Service Manager from http://nssm.cc/) Basically it is a better service manager than the default Windows one and I use it to control openvpn.exe. End result is we can have sleep/hibernate, restart, have tunnels die,etc and nssm will ensure openvpn.exe is restarted - precisely what you want in an "always on vpn"/headless solution Here's how we configure it "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppDirectory "c:\Program Files\openvpn\config" > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppParameters trimble.cfg > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppStdin "C:\Program Files\openvpn\log\trimble-openvpn-stdin.log" > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppStdout "C:\Program Files\openvpn\log\trimble-openvpn-stdout.log" > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppStderr "C:\Program Files\openvpn\log\trimble-openvpn-stderr.log" > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn AppRotateFiles 1 > NUL 2>&1 "c:\program files\openvpn\bin\nssm.exe" set trimble-openvpn DependOnService Dhcp tap0901 > NUL 2>&1 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Trouble getting traffic trough obfsproxy
On 10/01/15 10:48, Jan Just Keijser wrote: > I run an OpenVPN service listening on UDP/1194, > TCP/1194 and TCP/443 (using 3 different subnets, but the end-users > hardly notice). I run 8 openvpn instances available over 5 UDP and 5 TCP ports and use iptables to load balance the ports onto the instances. I use the incredibly useful "--up", "--client-connect", etc scripting options to enable us to have ONE subnet shared over all those instances (plus some client config standards to ensure it all works) Openvpn is awesome :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Status log not updating.
On 29/01/15 09:15, Stefan Monnier wrote: > Reviewing code is too time consuming. Instead, I just download such > crap through a VPN, this way I know I'm secure make sure it uses AES!!! Really important -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] anyone else seeing openvpn portscanning?
I have two openvpn routers - one in the US and one in NZ (ie completely different networks). Both are currently being scanned on tcp port 1194 from about 12 different IP addresses - all in Amazon (ie EC2 instances) They are causing no harm, but I'm seeing around 1 new connection every 2 seconds, and the scary thing is the NZ router is seeing the same source IP within seconds of the US one - which makes me feel like we're being targeted, but the lame, repetitive nature of the port scanner (it's basically a 3-way and hangup - no data as such) makes this the stoopidist scanner there is :-). We use tls-auth as well as certs so these aren't going to find anything. It's also only tcp/1194 - not even the default udp/1194, nor any of the other ports we run openvpn on Anyone else seeing these? 107.23.255.7 176.34.159.231 177.71.207.167 54.183.255.135 54.228.16.7 54.232.40.71 54.241.32.103 54.243.31.231 54.244.52.199 54.245.168.39 54.248.220.39 54.250.253.231 54.251.31.135 54.252.254.199 54.252.79.167 54.255.254.231 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] is there a better way to capture disabled tap interfaces under Windows?
Hi there We run openvpn under Windows as a service and have had a couple of situations where users for one reason or another have decided to disable openvpn by disabling the TAP interface instead of shutting down the openvpn service. The problem is that openvpn doesn't appear to look too hard at the enable/disable state of the adaptor and goes through the entire connection to server, negotiating ip addresses, etc - before noticing and crashing/exiting. This causes an infinite loop: the client connects, crashes, sleeps, connects, etc - and the load on the server goes through the roof - all from one user. We can blame the service manager for that - but frankly I *want* it to restart openvpn on error - just not this error :-) Telling users what to do is fine and sensible, but has a 0% chance of working. Wouldn't it be better than openvpn checks the state of the interface right at the beginning and simply refuses to connect if it's in an unusable state? I'd rather the client went into an infinite loop of starting, checking, exiting, starting, etc than involve the server (which affects other users). A 5-10 second delay after such a condition was detected would help reduce any client impact too of course -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenSSL Security Advisory [19 Mar 2015]
Do any of them affect openvpn if it's set to use tls-auth (as recommended)? ie is openvpn immune from these if the bad guys don't have copies of your tls-auth file Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Traffic/client source
On 25/03/15 11:43, Bjorn S. Nilsson wrote: > Sometimes I would like to find out what client is the source of > certain outgoing OpenVPN server packages. Or, more precisely, which > client is communicating with a particular host. If this is possible, > echo status| nc manage.ment.ip mgt.port ie ensure openvpn has "--management" configured, then you can query that and it will tell you the name of the client cert, what local IP was allocated and what their external IP is. Then a packet sniffer (eg tcpdump) can be used to see what traffic is being generated - either internal or external (obviously the external will all be encrypted openvpn traffic - so it's not very interesting) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
On 19/04/15 01:55, Gert Doering wrote: > OTOH, you'll see the behaviour in many mobile networks today: if there > is no traffic inside OpenVPN for a given time, like "60 seconds" (yes, > that short), it will time out the NAT entry and on the next packet, you > end up with a new source port or source IP address Doesn't "--ping" take care of that? Keepalive packets should mean the TCP/UDP NAT session sees enough traffic to stop any NAT firewall from timing it out (assuming ping is <30sec). That in turn should stop the firewall needing to change port numbers -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
On 19/04/15 12:05, Jeff Mitchell wrote: > > Unless the NAT implementation is broken. Read up a bit in the thread :-) > Ohh! :-) (but there are no broken NAT implementations! Say it ain't so!) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
On 19/04/15 22:38, Gert Doering wrote: > It does, but at the cost of battery life (having to wake up > frequently, send radio, etc.) - so you can have a much lower --ping > frequency with --peer-id. Also, there's roaming between wifi and 3G, > which will inevitably give you a new IP address on the outside - > nicely handled with --peer-id Yum! Sounds good. Google's QUIC HTTP "optimizer" would have to do something similar -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] openvpn connectivity failure fixed by restart?
Hi there I just had an odd issue with my Ubutnu-14.04 laptop that I think implies a bug. I had successfully openvpn-ed (version 2.3.2) into work last night, and this morning saw that I'd lost my connection. I run openvpn as a service and it was in a loop: it was connecting for about "--ping-restart" seconds, then generated a couple of LZO errors and restarted - repeating the same pattern. The server was reporting "mtu-dynamic" and "link-mtu" warnings about the repeated connections (even though I do not set mtu in either the server or the client config) I was a bit confused as it was rock-solid last night. So I simply killed the openvpn client and restarted it and all the problems went away. ie there have been no changes made on either the client or the server, it wasn't working - and yet a full restart of the client software fixed it. Once fully restarted, the LZO client errors and the mtu server warnings disappeared This implies some bug condition is flowing over between the session attempts doesn't it? Or does it imply my mtu changed somehow and that's sticky until a restart? (but apparently they're only off by 4 bytes, why does that matter?) *** client syslogs *** Apr 27 05:06:42 jhaar-nz-ll openvpn[21899]: SENT CONTROL [internet.srv.host]: 'PUSH_REQUEST' (status=1) Apr 27 05:06:47 jhaar-nz-ll openvpn[21899]: SENT CONTROL [internet.srv.host]: 'PUSH_REQUEST' (status=1) Apr 27 05:06:47 jhaar-nz-ll openvpn[21899]: Bad LZO decompression header byte: 0 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: Bad LZO decompression header byte: 0 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: SENT CONTROL [internet.srv.host]: 'PUSH_REQUEST' (status=1) Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: NOTE: --mute triggered... Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: 6 variation(s) on previous 2 message(s) suppressed by --mute Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: TUN/TAP device vpn1 opened Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: TUN/TAP TX queue length set to 100 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: /sbin/ip link set dev vpn1 up mtu 1500 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: /sbin/ip addr add dev vpn1 10.99.99.99.22/24 broadcast 10.99.99.99.255 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: /sbin/ip route add 10.0.0.0/8 via 10.99.99.99.1 metric 500 Apr 27 05:06:52 jhaar-nz-ll openvpn[21899]: Initialization Sequence Completed Apr 27 05:06:57 jhaar-nz-ll openvpn[21899]: Bad LZO decompression header byte: 0 Apr 27 05:07:02 jhaar-nz-ll openvpn[21899]: Bad LZO decompression header byte: 0 Apr 27 05:07:05 jhaar-nz-ll openvpn[21899]: [internet.srv.host] Inactivity timeout (--ping-restart), restarting Apr 27 05:07:05 jhaar-nz-ll openvpn[21899]: /sbin/ip route del 10.0.0.0/8 metric 500 Apr 27 05:07:05 jhaar-nz-ll openvpn[21899]: Closing TUN/TAP interface Apr 27 05:07:05 jhaar-nz-ll openvpn[21899]: /sbin/ip addr del dev vpn1 10.99.99.99.22/24 *** server syslogs *** WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1542' WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic' -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] has anyone got the Chromebook openvpn client working?
Hi there We've got a working openvpn server successfully supporting Linux/Windows/Mac clients. I just tried to get the native Chromebook client working via the .ONC file config support (have to due to tls-auth/etc) and didn't have much luck. It successfully connects and gets an IP, but immediately drops off. The server notices no real errors other than WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1542' WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic' We don't see that with any other client - just the Chromebook. Has anyone got the current Chromebook working with openvpn? I'd love to know what you did ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] has anyone got the Chromebook openvpn client working?
Slight update. I just had the same problem on Android with the "OpenVPN for Android" app, but as it's basically the "pure" client it was easier to diagnose the issue. This is a UDP profile and the server has "fragment 1400" - so the client has to have that too. Once I put that onto the Android, it started working. Unfortunately, I can't seem to find the ONC-equivalent for Chromebook - any ideas? Thanks BTW: I have NEVER got UDP working until I explicitly reduced the fragment size. So if the server is stating "fragment XXX" and the client either has no mention of fragment, or fragment is larger than the server, shouldn't it either error - or set itself to the same value? (and it isn't listed as "pushable" either). This seems such an obvious case for something else to happen? On 22/05/15 16:05, Jason Haar wrote: > Hi there > > We've got a working openvpn server successfully supporting > Linux/Windows/Mac clients. I just tried to get the native Chromebook > client working via the .ONC file config support (have to due to > tls-auth/etc) and didn't have much luck. It successfully connects and > gets an IP, but immediately drops off. The server notices no real errors > other than > > WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', > remote='link-mtu 1542' > WARNING: 'mtu-dynamic' is present in local config but missing in remote > config, local='mtu-dynamic' > > > We don't see that with any other client - just the Chromebook. > > Has anyone got the current Chromebook working with openvpn? I'd love to > know what you did ;-) > > Thanks! > -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] any way to get local network details to flow through to the server?
Hi there We're using openvpn to connect employees to the corporate 10/8 network and hit a problem with a client who was on a hotel 10/8 network. We use openvpn in split-tunnel mode and unfortunately the hotel used the same 10.X subnet as a large server subnet range we use - so the user couldn't reach the corporate servers as the traffic stayed local In this case using the openvpn tunnel as the default gw should have solved the problem - but normal people can't figure that out - so I'd like to solve it dynamically at the server end. However, to do that, the server would need to know in advance the routing table of the client - so that it could do something like "if 10.anything is local, then disable split tunnel and push all traffic through openvpn; else do split tunnel". Currently it looks like details about the client routing table aren't passed through environment variables to the server, would that be a good idea as an option? Obviously there are privacy issues - but when one organization controls both the client and server - that's a bit academic -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
On 03/06/15 10:58, David Sommerseth wrote: > Hi, Have you looked at the --client-nat option in the man page? Yeah - but it's an issue of only wanting it under the condition when the local network conflicts with the corporate network. One-to-one NAT is great but it still breaks some applications, so "no NAT" is still the best option when appropriate. We run openvpn in "always on" mode - so there's no opportunity for end-users to change settings manually (not that most of them are technically up to the diagnostics required any way) - hence my desire to do it on the server end. Sounds like my "option 3" is the only way: allow the user to connect, get server to query client to find out local routing table and then reconfigure the client to match conditions where appropriate -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
On 03/06/15 21:54, Gert Doering wrote: > It might be possible to actually hack together something with a wrapper > script around openvpn that does "--setenv UV_MY_NETWORK 1.2.3.0/24", > because "UV_" env variables are sent as push-peer-info to the server. Yeah I thought about that: easy enough to wrap something around Unix installs - harder for everything else. During the install on clients we grab their hostname and push it into their config via UV_HOSTNAME for precisely that reason. Would be great to have other metadata in there too Sounds like I'm stuck with the server having to do the donkey work. All our clients have to allow remote admin as a requirement (poor-mans NAC), so the server will log in, discover the routing table and if it's "funky", will reconfigure the client directly to route more traffic through the tunnel. Or maybe just generate an alert to begin with. Should probably learn how to walk before going crazy on people's routing tables ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Win7 Problem with 2.3.6
On 22/06/15 06:53, Gert Doering wrote: > I spent a few hours in a bus recently where the shitty 3G uplink lost > its session state every time we drove through a tunnel (this is really > the worst: no IPv6, and shitty IPv4 NAT), so all my SSH sessions died. > OpenVPN "tls float" to the rescue... needs git master on the server > and 2.3.6 (better: 2.3.7) on the client. I'm running our server off the git version, but my knowledge of git is near-zero so I'm not confident I have the correct version. There is nothing in the code that matches "tls float" - so what should I look for to know for sure I have an openvpn server with this function? (which I assume is actually peer-id) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] any way to add additional DHCP options?
Hi there We're having difficulty getting openvpn to work with IP Communicator - which relies on DHCP to tell it TFTP details As openvpn only supports a small number of "fake" dhcp options, I can't think of a way to push that value out to clients - any ideas? (the client does allow you to hardwire it to the correct value, but we're trying to make the application work like it does on the LAN - ie auto-configure) Obviously I'm running this in routing mode - not bridging (because then it would be working! ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to add additional DHCP options?
On 01/07/15 18:58, Jan Just Keijser wrote: > several years back there was a patch floating around for adding extra > DHCP options, but it was never included in the main code. Adding an > extra DHCP option is not too hard, but it needs to be included on the > *client* side so you'll have to update all of your clients to use such > a patch. Any reason it wasn't included in the formal source? ie what's the downside? Then we could add NTP, WPAD, etc -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to add additional DHCP options?
On 01/07/15 23:19, j.witvl...@mindef.nl wrote: > I can polish up my patch again and add NTP, TFTP and WPAD support, if there's > enough demand for it. The patch would not be very large anyway, so the "lots > of extra code" argument applies only a little I know this is a little biased, but I've just reviewed all the standard DHCP options Windows DHCP server has and I think if you were to add the following options, that would cover all the useful ones actually on offer (fighting words I know! ;-) * TFTP (150) * WPAD (252) Even then WPAD isn't really needed as there's a much better alternative (wpad.* dns name) that works fine over openvpn, and the TFTP one is really just because of Cisco's product (I can't think of any other non boot-time application that wants to use TFTP to gain data - haven't they heard of SRV DNS records???) That would make for a small patch ;-) PS: I ignored my favorite "sounds useful, but is poorly supported" Timezone (101) option because your computer's timezone should always come from your physical location - not the remote end of a VPN tunnel. I think a lot of DHCP options aren't needed for the same reason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] need some form of anti-DOS in openvpn?
Hi there There have been a few occasions where some valid Windows client would continually hit our openvpn server, but something goes wrong on the client end and it immediately retries: around once every 5 seconds. No idea what the root cause is (besides "it's Windows" ;-), but it's the impact on the server that this email is about We use the script options on "--up",etc - so what happens is there is a flood of scripts being run against this "client-that-is-broken" and basically the load average goes through the roof (ie due to the scripts more than openvpn itself) and the entire server starts to stagger - which would affect all the nicely connected clients. To reiterate, this means the client gets a tunnel up and running, but then immediately gets another tunnel up and running (the first one still going, calling "--up" scripts and yet that client session is dead, waiting for the server to time it out) Not much to go on I know, but could there be some way for openvpn server to keep track of something like "timestamp:externalIP:cert" and basically start ignoring new sessions if it sees more than one every XX seconds? That would reduce the damage such events cause (note I don't include ports in my suggestion because an openvpn server may have multiple ports available to all clients - so they're not unique) Thanks PS: actually, I've seen this with the Chrome client too. Totally bugs on the client - but it kills the server -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] need some form of anti-DOS in openvpn?
On 12/08/15 20:20, Erich Titl wrote: > > The script might do this just the same. This would avoid having to > wait for an implementation in openvpn, which might break behaviour too. > Well yeah - but it's the calling hundreds of scripts per minute that are causing the load :-) ...but you are correct, I'm already looking into changing the scripts to try to pick up earlier that there's a problem with the new session, and ditch -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] anyone get ChromeOS openvpn working?
Hi there I've used the ONC documentation to create a ONC file for ChromeOS and used chrome://net-internals/#chromeos to import it in. The openvpn config contains tlsauth, client certs, CA certs, both udp and tcp and IgnoreDefaultRoute==true http://www.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration When I attempt to connect, the server shows the incoming connection and IP address assignment - but then - nothing. The device isn't pingable and sniffing the vpn interface (on the server) shows no traffic. Then after the ServerPollTimeout interval, the client disconnects and immediately reconnects - ad infinitum I don't know if there's a mechanism to debug the client, so I'm pretty much stumped. We have openvpn working on Linux/Mac/Windows/Android and IPhone - but for the life of me I cannot get it going on ChromeOS Has anyone got that working? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] client config fallback from 1194 udp to 80 tcp
On 21/10/15 09:49, debbie...@gmail.com wrote: > NOTE: Just because you specify HTTP port 80 does not mean an intervening > firewall is not capable of detecting a NON HTTP protocol and blocking you > anyway. I agree - in fact I'd suggest NEVER use tcp/80 and instead use tcp/443 - as that's just as likely to be open and you are less likely to hit a transparent proxy Also, you had tcp/80 first and then udp/1194 - which I think is the opposite order to what you wanted? ie openvpn works from the top of the config downwards -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On 29/11/15 22:56, Steffan Karger wrote: > OpenVPN makes a distinction between control traffic (key/config > exchange, etc) and data traffic (actual vpn network packets). For > control packets, OpenVPN has a reliability layer that ACKs packets, > retransmits, etc. For data packets, OpenVPN does not do any of that. > (But, when you're using TCP mode, TCP does that, ofc.) ...Then why does it work so well over UDP? I almost exclusively use openvpn over UDP and I would have thought the lack of error checking on the data channel would hurt, so why doesn't it? eg, if there's no UDP error checking built into openvpn, then shouldn't DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the Internet generally so reliable that it doesn't matter? (eg 1% packet loss on Internet leads to 1% packet loss inside openvpn tunnel?) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] openvpn server pretends to be .254 for emulated dhcp server?
Hi there I'm running an openvpn server with a /24 netmask for available IP client addresses. We're still under 100 clients so this hasn't become an issue yet, but I just noticed that a Windows client was saying it got it's openvpn IP client address from a DHCP server running on the .254 address... The server is actually set up to use the .1 address (ie "ifconfig x.y.z.1 255.255.255.0"), so as far as I'm concerned, the .254 address is available for a client. But the last thing I want is a client getting that address and suddenly unicast DHCP queries start failing (because they're hitting a client instead of a server) I know the is "DHCP emulation" - which could mean this is all smoke-n-mirrors and doesn't actually have any negative effect - but I thought I'd ask. But I would also ask why it couldn't have declared itself to be the .1 address - as that is internally consistent? Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn server pretends to be .254 for emulated dhcp server?
On 05/12/15 14:05, Selva Nair wrote: > That would be fine too. Say the second client gets 10.200.0.3 with > dhcp server at 10.200.0.254 (the default). The client will send the > dhcp packet to .254 (or to 255.255.255.255 if its the first time), the > tap driver will reply to it and all will be fine. The dhcp server > being just some magic serviced by the local tap driver, there should > be no issues. ...but what about that second client? How would Windows react if the DHCP server on X.Y.Z.254 tells it to use X.Y.Z.254 as it's own IP address? The big question is why is the TAP driver hard-wired to pretend X.Y.Z.254 is the DHCP server IP? Why can't it pretend to be the IP address of the openvpn server? That would make more sense and be internally correct? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn server pretends to be .254 for emulated dhcp server?
On 05/12/15 15:10, Selva Nair wrote: > OpenVPN will fail with an error saying dhcp server address conflicts > with the client ip. > You can change this default behaviour using "ip-win32 dynamic 0" to > move the > dhcp server to x.y.z.0. Then 254 will be accepted. We use .1 on the server, so would "ip-win32 dynamic 1" make the client think the DHCP server was on 192.168.0.1? That would be perfect #This defines the "dhcp" range mode server tls-server push "topology subnet" ifconfig 192.168.0.1 255.255.255.0 ifconfig-pool 192.168.0.10 192.168.0.254 255.255.255.0 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] want to confirm: verify-x509-name for cert DNS check
Hi there I'm wanting to do some smoke-n-mirrors with DNS to point clients at the best openvpn server, and I wanted to check what I am doing is supported (ie I won't get a surprise a year from now when this is discovered to be a "bug" and gets fixed ;-) So am I correct in saying that if a client is configured to only use "verify-x509-name . name" to validate server, so as long as the server cert contains "." as one of it's "Subject alternative names", the client is happy So... I could configure the client to connect to the servers IP address, or some entirely unrelated "." DNS alias - and it would be happy, because the server cert contains "." as one of it's name options? ie there's no need for the other DNS aliases to be part of the server cert? I bring this up because that wouldn't work in a web browser - so I want to check this is supposed to be how openvpn works (I guess we could call it a kind of "pinning") Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] want to confirm: verify-x509-name for cert DNS check
On 14/12/15 00:29, Steffan Karger wrote: > No, verify-x509-name does not do anything with Subject alt names. It > validates the peer certificate subject (or a specific part of the > subject, if you use the 'name' or 'name-prefix' types). I think the man > page explains this quite accurately: My mistake - our server cert actually has the name I intend to use as the primary name - and the actual "real" server names as Subject Alt names. I sort of just assumed they were all treated as one "array" - like what happens in browsers In any case - excellent - I can work with this :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Push proxy settings on Windows
Traditionally the mechanism would be to use WPAD over DNS.
That would make a Windows computer resolve "wpad.XXX" for every domain
every DNS interface has, which means your VPN interface domain name
could respond - telling the browser about the local proxy/etc.
AD-integrated Windows computers would also look up
"wpad.their.ad.domain" too - which is another opportunity to respond
with WPAD details
Jason
On 21/12/15 10:44, Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2015 at 11:44:36AM -0800, Laurens Vets wrote:
>> Is it possible somehow to push proxy settings from the OpenVPN server
>> to clients (Windows or Linux)? I wasn't immediately able to find
>> anything that might explain it if it's supported...
> It is not, because it doesn't make sense - at least for the proxy settings
> for OpenVPN itself, because you need them before you can connect to the
> server to receive the info which proxy to use...
>
> As for clients using the VPN, that might be possible by passing
> environment variables ("push setenv ...") and setting up something
> in an --up script. But I'm not aware of any ready-made implementation.
>
> gert
>
>
>
> --
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Forthcoming OpenSSL releases
It's basically about the risk of using the same cert on multiple SSL services. If your website is all good on TLS1.2 but you use the same cert on your old FTP server that still supports SSLv2, then your website traffic is at risk of being decryptable due to attackers discovering your private key via FTP So if your openvpn servers have specific certs and aren't used by any other SSL service, you should be fine. (here's hoping I haven't just embarrassed myself ;-) Jason On Tue, Mar 1, 2016 at 9:56 PM, Kapetanakis Giannis < bil...@edu.physics.uoc.gr> wrote: > Just a heads up on this: > > https://mta.openssl.org/pipermail/openssl-announce/2016-February/63.html > > release is due today and it "will fix several security defects with > maximum severity "high". > > No idea if openvpn is affected. > > regards, > > G > > > -- > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Allowing all OpenVPN 2.4.x Windows users to run OpenVPN by default?
On Fri, Mar 4, 2016 at 1:38 AM, Gert Doering wrote: > I think this needs to be a question the installer asks. > I agree. Let's face it, the use-case you are talking about is an organization using something like SCCM to roll out openvpn to a bunch of users - who don't have local admin (if they did, you wouldn't need this feature). Frankly, such an organization is really using SCCM to control who has openvpn, so would also probably want all users *who have openvpn installed* to be able to run openvpn - so would set the group to be "Domain Users" rather than anything finer-grained. Or they would make a domain group called "Openvpn Users" and use it to control who gets openvpn - and therefore also has the ability to run it Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] feature request: HTTPS proxy support
Hi there We're starting to use proxy servers with native TLS support (you connect to the proxy over TLS, then send your proxy requests - ie all proxy traffic is encrypted). If openvpn supported such a mode, we could encapsulate openvpn traffic within a TLS channel - which could help openvpn actually work for some of our users when travelling to certain countries... Yes this is a obfuscation trick, but one that uses 99% of existing code :-) and yes I know this could be hacked together using stunnel/socat/etc. But notice the phrase "hacked together" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] feature request: HTTPS proxy support
Yeah, instead of opening a TCP socket to a proxy port (eg 3128) and sending "GET url..." proxy commands, you set up a TLS/TCP socket to a different proxy port and then send your proxy commands. squid-3.X supports it and it means we can securely (actually, privately would be a better word) run proxied clients over the Internet. So I was thinking that if openvpn supported TLS proxies, then we could run openvpn through a true TLS layer - at the moment if you run openvpn on (say) TCP/443, that can be picked up by layer7 firewalls as being non-HTTPS traffic (more correctly, non-TLS traffic). If you encapsulated openvpn inside TLS, it would look to the world identical to HTTPS traffic On Wed, Mar 16, 2016 at 9:07 AM, Gert Doering wrote: > Hi, > > On Tue, Mar 15, 2016 at 03:52:50PM -0400, Jake Thompson wrote: > > Are you talking about having OpenVPN connect through the proxy via > > HTTP CONNECT, or have it disguise its traffic as HTTP GET and POST > > requests? > > Neither. Connect *to* the proxy using a SSL session (and then go ahead > with HTTP CONNECT, but that part is long supported) > > I have no idea whether this functionality will show up, or how much work > it is to make it happen, though. > > gert > -- > USENET is *not* the non-clickable part of WWW! >// > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Remove "Trust this application" warning on Android
On Fri, Mar 18, 2016 at 8:10 AM, Gert Doering wrote: > It's a warning from Android that an application is trying to use the > VPN API (and thus able to steal and sniff traffic from other apps). > I'm using Arne's "OpenVPN for Android" and it doesn't do this (Android 6.0). Surely it's using the same APIs? I just get a nice "key" in the notification area -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] openvpn-install-2.3.11-I601-x86_64 bluescreens latest Win10 Insider build
Hi there I just heard from one of our IS staff who moved onto the Win10 Insider build 14332 that it was continually bluescreening - ended up disabling openvpn fixed it (we run openvpn as a service). So I did the same thing (installed 14332) using the current 2.3.11-I601-x86_64 and indeed the moment the TAP interface comes up (ie it gets a tunnel IP address), the system crashes. This issue also affects the older 2.3.10 version - so it's more likely the new Win10 build "does something differently" So this could be a major bug with Win10 14332 (it only just came out) that openvpn just happens to tickle - but it could also imply Win10 now has some subtle assumptions that openvpn/TAP isn't meeting? I dunno - that's why I brought it up :-) PS: The bluescreen only says "CRITICAL_PROCESS_DIED" and there's nothing in the eventlog about it. System comes up, openvpn is started, openvpn logs get to report "Initialization Sequence Completed", system crashes. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OT: howto make Ubuntu networkmanager restart dnsmasq?
Hi there I use the "up/down" feature of openvpn to enable/disable redirecting DNS lookups of intranet domains to our work network when openvpn is up and running - and tear it down when it's not However, I can't actually get that part to work. dnsmasq has a "feature" whereby you can't tell it to re-read it's config - it's only read at startup. So I've got "--up" creating a nice /etc/NetworkManager/dnsmasq.d/intranet file, but can't figure out how to tell NetworkManager to restart dnsmasq, so that it can discover that. Restarting NetworkManager certainly fixes the problem - but restarting the entire network stack just to fix DNS is not a solution... Anyone else figured that out? This is Ubuntu 16.04. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OT: howto make Ubuntu networkmanager restartdnsmasq?
On Tue, May 24, 2016 at 1:03 AM, Jan Just Keijser wrote: > Have you tried an /etc/NetworkManager/dispatcher.d script? > To do what? :-) Yes, I can call scripts at the precise moment they are needed - but what I don't know is how to get NetworkManager to restart dnsmasq - other than by restarting NetworkManager. I used to be on Fedora and I would swear I used to just kill dnsmasq and NetworkManager auto-restarted it - but that isn't the case with Ubuntu -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OT: howto make Ubuntu networkmanager restartdnsmasq?
On Tue, May 24, 2016 at 9:42 AM, Jan Just Keijser wrote: > (/etc/NetworkManager/dispatcher.d/10_dnsmasq + > /etc/systemd/system/NetworkManager-dnsmasq.service) > Nah - there is no NetworkManager-dnsmasq service in Ubuntu-16.04 (and yes it is systemd based). There is no "*dnsmasq*" service at all - it's just something that NetworkManager calls somehow - but doesn't bother to keep tabs on. I think I might just go back to Fedora, I have not been enjoying the experience ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn-install-2.3.11-I601-x86_64 bluescreens latest Win10 Insider build
On Fri, May 13, 2016 at 6:47 PM, Gert Doering wrote: > Given that the tap6 driver works on about every version of windows since > Vista, and we've not received any reports about system crashes, I tend to > point at "microsoft broke something in the driver handling" - but have no > idea how to debug that, or what to do about it. > Is there any way one of the openvpn developers for Windows could get onto the Insider Build track to see this for themselves? This is probably a warning of things to come. It could be the next formal build release of Win10 to the public has this characteristic and then openvpn will be toast? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Recommended MTU
I have always found that UDP never works without fiddling with MTU-related settings. So for UDP configs we use fragment 1400 mssfix explicit-exit-notify 2 No need for TCP - that just works On Fri, Jul 29, 2016 at 7:56 AM, Chris wrote: > All, > > what are recommended MTU / fragment / mssfix settings for UDP road > warriors? > > What settings are best for clients connecting to port 443 (TCP)? > > - Chris > > > > -- > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Access from Client on a high latency link very slow
I'm in New Zealand and indeed can confirm VPN (basically any kind) works just fine over high-latency links. The only real issue is *packet loss*. If you are on a raw Internet link with (say) 1% packet loss, and mostly do non-stateful stuff like web surfing, then your Internet experience is "pleasant". However, if you run a VPN (any kind) over that 1% packet loss link, it "feels like" 10% packet loss within the VPN - and at that point from an end-user perspective is effectively *broken*. People complain, cat and dogs live together in harmony, world ending catastrophe. Packet loss is the enemy of VPNs - not distance On Tue, Aug 16, 2016 at 12:33 AM, Eduardo Wirth wrote: > Hello > I live and work in Uruguay. > 300ms RTT Europe is expected as a normal delay. > South America Europe traffic is normally done by Miami > I agree with comments from Selva I have worked with satellite > connections (more than 1000ms) ... always it depends on the type of data > you want to transmit and its features (interactive or not) > But correctmente 300ms can work in most scenarios. > > Eduardo > > Dante F. B. Colò wrote: > > Hello everyone > > > > I have a issue with a client machine running openvpn 2.3.11 on Windows > > 10 located in London , my server is located here in São Paulo, Brazil > > and there is a high latency between the two endpoints , ping replies to > > each other take around 280 ms, when i try to access some service on my > > network almost everything take much time to respond, it's is pratically > > unusable, i already tried somethings like enable LZO compression , > > change mtu on client and server tun interfaces , i still don't have much > > experience with openvpn, is this normal ? Is there anything more that i > > can do to improve performance ? > > > > > > Regards > > Dante F. B. Colò > > > > > -- > > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > > patterns at an interface-level. Reveals which users, apps, and protocols > are > > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > > J-Flow, sFlow and other flows. Make informed decisions using capacity > > planning reports. http://sdm.link/zohodev2dev > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > -- > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. http://sdm.link/zohodev2dev > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [Openvpn-devel] OpenVPN 2.3.12 released
On Wed, Aug 24, 2016 at 3:52 AM, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.3.12. > Great work guys. Can you tell me if the peer-info and peer-id server side code is in this version too? I'm still running on a GIT version of the server because of my desire for the peer-id data, but I'd rather be vanilla to be honest :-) Thanks again! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows tap driver signing certificate expired.
We kept hitting the problem of the driver triggering an UAC admin popup requiring confirmation - even though it is signed. We got around it by using certutil to "pre load" the cert into the system store, then it doesn't need to do the UAC check. I don't know if this is needed any more, but it still working on everything up to Win10 - so we'll keep doing it to keep our silent/scripted installs working without a murmur :-) certutil -addstore "TrustedPublisher" openvpn-tap-driver.p7b > NUL 2>&1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows tap driver signing certificate expired.
On Wed, Sep 7, 2016 at 8:03 PM, Samuli Seppänen wrote: > > The SHA1 signature is/was needed to support Windows Vista. It was > created using a normal (non-EV) kernel-mode Authenticode certificate. > As far as I'm aware, a fully patched WinXP box fully supports SHA2 - so you shouldn't have any issues with Vista+? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"
Hi there Am I correct that to move off Blowfish cipher, we'll have to reconfigure the openvpn servers and clients simultaneously? The server and clients don't currently have "cipher" defined, but the newer clients are generating those "cipher" warnings. Also, am I correct that "cipher" cannot be used within a "" block? ie there's no way to migrate - it has to be a "hard" outage. I'm just wondering how other people do it. I can't see any way out of this other than bringing up entirely independent server infrastructure, so that the new clients can use the new servers while the old clients migrate. Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"
On Fri, Nov 4, 2016 at 8:47 PM, Gert Doering wrote: > The other would be to live with the warning message until you can roll > out 2.4, which will be able to handle per-client ciphers, AND will > auto-upgrade 2.4 clients to AES-256-GCM. > By that do you mean that if you upgrade the clients to 2.4 (with 2.3 server), and don't define "cipher", they will figure it out and still work with the older server. And when I finally upgrade the server to 2.4 (without defining "cipher"), then after the restart, the 2.4 clients will all move off Blowfish to AES? That would be great - certainly worth waiting for :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"
On Mon, Nov 7, 2016 at 10:46 PM, Gert Doering wrote: > - 2.4 client talking to 2.4 server will send a special handshake > (IV_NCP=2) >which signals "I can do pushable cipher, and I can do AES-GCM", so the >server will (usually) send back "cipher AES-256-GCM" and move itself >to AES-256-GCM as well. > All right, let's get this clear for me and for others :-) If I have a 2.4 server, I can set it to "cipher BF-CBC" and keep all the 2.3 clients happy. Then I can migrate the clients to 2.4 (even with "cipher BF-CBC" too), and as they come in, they negotiate before "cipher" matters and go AES-256-GCM: basically "--cipher" is ignored in 2.4+ transactions? Or I can migrate the clients to 2.4 with "cipher BF-CBC", and when they fail to negotiate with the 2.3 server, they'll still be happy, and then when I migrate the server to 2.4, they all auto-update to AES Is that correct? That would be perfect as then no dual infrastructure would be required -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] standalone/pure openvpn binary for Macs?
Hi there Is there a semi-official/well-known binary release of the "raw" openvpn binary for Macs? I know I could use Homebrew - but then I'd end up with a binary that only works on the OS it was built on, and my test Mac is the latest OS and yet we have users on older releases - so I need a binary that can work over a range of Mac versions (we run openvpn as a "always on" process with no user interface, so TunnelBlick is out too) Thanks PS: we currently have a openvpn-2.3.6 binary that has worked fine for years, but I can't recall where I got it from :-}, and was looking for a new version to go to when 2.4 officially comes out -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] standalone/pure openvpn binary for Macs?
On Fri, Nov 25, 2016 at 11:48 AM, Mathias Jeschke wrote: > Why not run the openvpn binary that comes with Tunnelblick? > Wow - I have no idea how I missed that! Thanks for spelling out the bleeding obvious to me - I must be getting old! :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking
On Tue, Dec 20, 2016 at 9:50 PM, Jan Just Keijser wrote: > It does *NOT*, however, result in OpenVPN > traffic looking the same as regular TLS/HTTPS traffic. > How about my suggestion of supporting HTTPS proxy servers? (see:"feature request: HTTPS proxy support"). This is simply an extension of an existing feature, and would allow server providers to (say) have squid running on port 443, and the client would "CONNECT same.ip.address:1194" through it as normal. That way the outside world only sees TLS traffic on port 443 - it would hide the openvpn traffic and look "legit" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking
On Tue, Jan 3, 2017 at 12:10 AM, Samuli Seppänen wrote: > We've discussed traffic obfuscation in the past many times, and have > always concluded that we don't want to play that cat-and-mouse game in > the _core_ OpenVPN. > I agree - sort of. I'd say the one exception would be to add proxy-over-TLS support into openvpn. It's merely an extension of existing code but means those who choose to use it would gain the ability to appear exclusively as an TCP/TLS transaction - no evidence of vpn traffic at all. ie, set up squid on your openvpn server with a TLS port (https_port), acl it down to only be a proxy for localhost:1194 (say). Then configure openvpn client as remote localhost:1194 tcp http-proxy squid.server 443 All anyone would see is the client making a TLS (with SNI) connection to https://squid.server/ (and lots of traffic...). Would look effectively identical to Skype, Hangouts, etc. ie large volumes of (assumed) HTTPS traffic. Could probably configure squid so that it defaults to a real Apache server, and does the "trick" just for "CONNECT localhost:1194" - that way even connecting to it would show a website Hmm, on second thoughts, this would be easier/cleaner to do in Apache via mod_proxy... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TLS Error: Unroutable control packet received
I don't want to seem a pendent, but it sounds to me like "unroutable" in this context is not referring to networking, but instead means it cannot be associated with an existing session? If so, wouldn't it be better to say something like "TLS Error: bogus/old control packet received from %s (si=%d op=%s)" All I know is that if I saw that "unroutable" message, I would be 100% thinking about network and firewall problems - I would never have thought this was anything else -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] kill seems to kill all clients - timeout issue?
Hi there I've noticed that if(via the management interface) I kill a client, *all* clients on the same tun interface are killed! ie - nc 127.0.0.1 port status (shows 'n' clients, including their remote IP:port) kill remote-IP:port SUCCESS: 1 client(s) at address remote-IP:port killed - result: 'n' clients disconnect instead of 1 I noticed it took >30sec before the "SUCCESS" comes back. Doing a strace showed my "client-disconnect" was doing some fiddling that took most of that time. I removed it and immediately solved the problem: only one client was disconnected as expected So I've solved it - but would like to figure out why it happened, as we do a lot via the scripts options and frankly I can imagine even myself adding some slow code to it accidentally again later :-) So is there some kind of suicide call happening if the kill takes too long? Or does "client-disconnect" block all clients until it completes - that would explain everything? (because clients have "ping-restart 20") Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] * UPDATE * OpenVPN v2.4.3 and v2.3.17 releases
Does using tls-auth protect against these latest security issues? ie if you are running older versions but require tls-auth, then would that block attacks from hackers who don't have your tls-auth file? Thanks On Fri, Jun 23, 2017 at 1:29 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > > Hi, > > We are in an unfortunate situation that our Cloudflare front is > providing various results, depending on a lot of factors (region, > browser, computer, etc, etc). And it causes a massive noise on people > trying to download and verify that these downloads are correct. > > As most of this noise have been related to the source code downloads, I > have setup an emergency wiki page where an alternative download URL is > provided ... In addition the proper SHA256 checksums and proper > signature files are available too. > > This will hopefully help people to get the right download. > > <http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17> > > > We will go more carefully through our release process and figure out how > to avoid this mess with the next release. The discussion have already > been initiated [1], and we will dig into this for the next release. > > [1] > <https://www.mail-archive.com/openvpn-devel@lists. > sourceforge.net/msg14937.html> > > > On behalf of the OpenVPN core community team, I am truly sorry for this > mess. This is not how we want our releases to appear. > > > -- > kind regards, > > David Sommerseth > OpenVPN Technologies, Inc > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] feature request: multiple keys to improve config migration
Hi there Best practice would be to routinely rotate secrets, to mitigate configuration misuse/loss, etc. Due to CAs, certificates already support that concept, but tls-auth/tls-auth do not. So wouldn't it be a good idea to allow tls-auth/tls-crypt to contain multiple keys, so that the key could be rotated without an outage (really like a "major upgrade"). i.e. 1. replace server key with one containing old + new 2. replace client config, replacing old key with new one 3. wait weeks/months (probably) until you know all clients are reconfigured 4. replace server key with just the new one 5. rotation is now complete -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] feature request: multiple keys to improve config migration
On Wed, Nov 1, 2017 at 2:08 PM, Steffan Karger wrote: > Coming back to tls-crypt/tls-auth key rotation: the preferred way is > what Ilya suggested: add a new openvpn daemon which is using the new key > and is running on another port, then migrate your clients to the new > server and finally kill the old server. I guess we could assign new (2nd) IP addresses to the existing servers, and use identical configs - except for the new keys - and then alter DNS to round-robin? That way old-key clients would fail against the new IP but work on the old, and new-key clients would work on the new IP but fail on the old. Then after we see no more old-key connections, change the old IP server config to match the new. (I don't want to use more ports because we already use the good ones ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] weird Win2012 client issue
Hey there I'm trying to get a Win2012 openvpn client to talk to a Redhat7 openvpn server but aren't having much luck. I've reduced the config down to bare minimums: the link comes up, IP addresses are assigned at both ends - but they cannot even ping each other. It screams "firewall", but as far as I can see I've turned them off *and* disconnected the Windows one from the openvpn interface - so that shouldn't be it. But if I try to ping the server from the Win2012 client, tcpdump on the tun interface on the server shows the "echo request" coming in and the "echo reply" going back out over the same interface - but Windows never receives it (ie it still smells firewall to me). Routing table points the vpn subnet to the vpn (the ping proves it) - but no joy. I can't initiate pings in either direction. The weird thing if I reboot the Win client, after the link comes up I can *successfully* ping the client *once* (ie one packet). After that the dead symptoms kick in. I mean - what's that about? :-) Is there something weird that makes Win2012 act differently than (say) Win10? I've actually copied the openvpn config to a Win10 system where it works fine - so this is definitely a working config - just not for Win2012. Both ends are fully patched and the Windows installer was grabbed yesterday from openvpn.net Any ideas appreciated -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] weird Win2012 client issue
Nope - didn't make any difference. I've tried TCP and UDP (with link-mtu 1200) - no difference. There probably aren't many people out there who tried openvpn on a Windows server. Probably a corner case. I think it would be best for me to delete the server (gotta love virtuals) and replace it with a Win10 system. Will probably be OK for what I want. On Tue, Jun 26, 2018 at 9:11 PM Jan Just Keijser wrote: > Hi Jason, > > On 26/06/18 04:49, Jason Haar wrote: > > Hey there > > I'm trying to get a Win2012 openvpn client to talk to a Redhat7 openvpn > server but aren't having much luck. I've reduced the config down to bare > minimums: the link comes up, IP addresses are assigned at both ends - but > they cannot even ping each other. > > It screams "firewall", but as far as I can see I've turned them off *and* > disconnected the Windows one from the openvpn interface - so that shouldn't > be it. But if I try to ping the server from the Win2012 client, tcpdump on > the tun interface on the server shows the "echo request" coming in and the > "echo reply" going back out over the same interface - but Windows never > receives it (ie it still smells firewall to me). > > Routing table points the vpn subnet to the vpn (the ping proves it) - but > no joy. I can't initiate pings in either direction. > > The weird thing if I reboot the Win client, after the link comes up I can > *successfully* ping the client *once* (ie one packet). After that the dead > symptoms kick in. I mean - what's that about? :-) > > Is there something weird that makes Win2012 act differently than (say) > Win10? I've actually copied the openvpn config to a Win10 system where it > works fine - so this is definitely a working config - just not for Win2012. > Both ends are fully patched and the Windows installer was grabbed yesterday > from openvpn.net > > > Are you using "redirect_gateway def1" ? > > Just to make sure: can you try adding > route 0.0.0.0 0.0.0.0 vpn_gateway 800 > > (i.e. a ridiculously high metric) to the client config file and then > reconnect? > It might be that Windows NLA got more strict in 2012 compare to Win10 > > HTH, > > JJK > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] weird Win2012 client issue
I've thrown the win2K12 away - moved the existing config directory to Win10 and it "just worked". No idea what was really behind this issue - no worse off with Win10 - so forwards I go ;-) On Wed, Jun 27, 2018 at 8:39 AM Selva Nair wrote: > Hi, > > On Tue, Jun 26, 2018 at 3:36 PM, Jason Haar > wrote: > >> Nope - didn't make any difference. I've tried TCP and UDP (with link-mtu >> 1200) - no difference. >> >> There probably aren't many people out there who tried openvpn on a >> Windows server. Probably a corner case. I think it would be best for me to >> delete the server (gotta love virtuals) and replace it with a Win10 system. >> Will probably be OK for what I want. >> > > I recall running the client on a Windows server 2012 host (server should > also work). > > FWIW, I just fired up a 2012 datacenter edition as a google compute > instance. Using the latest binary from openvpn.net, no issues on a quick > test of pinging and accessing a web page on the server using ipv4 tunnel ip. > > One glitch: the interactive service errored out while setting the ipv6 > address and route with > > TUN: adding address failed using service: Element not found. > [status=1168 if_index=22] > ROUTE: route addition failed using service: Element not found. > [status=1168 if_index=22] > > Did not investigate further, so not sure what went wrong there. > > Selva > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] NTLMv1, NTLMv2 HTTP proxy support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 How about ditching the NTLM and adding HTTPS proxy support instead? ;-) Does the privacy aspect of talking to proxies "properly" of course (Basic is fine over HTTPS) (and accidentally makes openvpn-over-TCP look like real TLS traffic too...) - -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 On 2021-11-07 at 13:55, g...@greenie.muc.de wrote: > Hi Community, > > OpenVPN supports HTTP proxies that require NTLM authentication, > supporting NTLMv1 and NTLMv2 protocols. > > This is old code, which was written in the dark ages, is not currently > unit/client tested, and uses DES which got deprecated in OpenSSL 3.0.0... > > That said, if people still *use* it, we are likely to keep it - otherwise > it might just become lost :-) > > So - if you use HTTP proxy in OpenVPN, and that proxy authenticates > against a Windows AD domain, and you use NTLMv1 or NTLMv2 authentication, > please speak up and tell us about your use case! > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -BEGIN PGP SIGNATURE- Version: FlowCrypt Email Encryption 8.1.3 Comment: Seamlessly send and receive encrypted email wsBzBAEBCAAGBQJhijNNACEJELKJYLkidhn+FiEECUyyIwVr5GK9x38wsolg uSJ2Gf6c+wf+PvoKQdvsHE/F2g9PE+JpS8NyTXX0zoOCOzl3MwnamWMJPHbS sW2DGT43mP6G8cFwC711YBmRUGGziyLMCMSEXmFTWtjt3YjfJfjIVAS3tWil Qx2GTCLcK4fWThJn07C+Clpe+9QwJJ9/1dFPWrDg0Jv82Pa5pxFa9ESwL8ah wLMWvf7asRa9BfJef1E839vwuhl4/u1bNXdEjHZlXTTMGmhdBB+nHAePMB4L i8jgblBQ2YsHDl31YG1TtnksFQuidow8v0iWVsMNIdDW9Xn1bhIMWr3hYJ/b Nm/KGxx/b1nn9zw2DmFMDqN8+2xWcDTgGfCBeZMU8V1sBjOWZevTEg== =B+1M -END PGP SIGNATURE- 0xB28960B9227619FE.asc Description: application/pgp-keys ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
