[Openvpn-users] Possible to drop port scan packets?

[jack seth]

Is it possible to have a Openvpn server drop port scanning packets instead of 
sending a reply.  For example, when running 'shields up' on grc.com the port 
that I have openvpn running on is reported as 'closed' instead of 'stealth'.  
Is there a way to get openvpn to just not respond?  
 
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Possible to drop port scan packets?

[jack seth]

> Date: Tue, 24 Sep 2013 23:45:13 +0200
> From: openvpn.l...@topphemmelig.net
> To: bird_...@hotmail.com
> CC: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Possible to drop port scan packets?
>
>
> - Original Message -
>> From: "jack seth" 
>> To: openvpn-users@lists.sourceforge.net
>> Sent: Tuesday, 24 September, 2013 5:16:27 PM
>> Subject: [Openvpn-users] Possible to drop port scan packets?
>>
>> Is it possible to have a Openvpn server drop port scanning packets instead of
>> sending a reply.  For example, when running 'shields up' on grc.com the port
>> that I have openvpn running on is reported as 'closed' instead of 'stealth'.
>>   Is there a way to get openvpn to just not respond?
>
> No and yes. It's really the firewall in co-operation with an IDS which can
> truly do that job best, generally.
>
> Having that said, if you run OpenVPN in UDP mode and use --tls-auth, OpenVPN
> will not respond to packets which have a mismatching HMAC "signature" on the
> UDP packets. The result is that the OpenVPN port seems to be blocked, unless
> your OpenVPN clients use the proper pre-exchanged static tls-auth key.
>
> This works only with UDP as it is stateless and doesn't have the connection
> handshake TCP needs. So if you use TCP, the port will be listed as open, but
> OpenVPN would disconnect instantly if the tls-auth HMAC "signature" is wrong.
>
> To implement --tls-auth, you need to use --genkey and --secret to generate
> a static key. This key file comes in addition to the other key/certificate
> files you already use. Then distribute this key to all your clients
> together with an update client config. The config changes are needed both
> on all the clients and your server. Use f.ex. --tls-auth static.key 1 on
> the server and --tls-auth static.key 0 on the clients, or wise versa.
>
> It is also possible to inline this static key file inside the configuration
> file. To do that, you need to add these lines to the configs
>
> tls-auth [inline] 0
> 
> -BEGIN OpenVPN Static key V1-
> ...
> ... complete contents of your static key
> ...
> -END OpenVPN Static key V1-
> 
>
> Remember to replace the '0' with an '1', so that server and clients have
> different values. Only 0 and 1 are valid values and the server needs one
> of the values, all of your clients need the other value. Which one you
> use where is up to you.
>
>
> --
> kind regards,
>
> David Sommerseth

Thanks for the response.  Yes I have that implemented.  I am running both a TCP 
and UDP server.  Of course it is the TCP that is replying.  Actually the port 
is listed as 'closed' but I want it to appear as 'stealth' (i.e. no response).  
In a TCP setup, does the very first packet have the HMAC signature?  If so, I 
guess I am wondering if there was some setting where if Openvpn received the 
first packet and it didn't have a HMAC signature (or the correct one) it just 
wouldn't respond and drop the packet?  
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn-users Digest, Vol 88, Issue 8

[jack seth]

>
> Message: 3
> Date: Wed, 25 Sep 2013 13:20:12 +1200
> From: Jason Haar 
> Subject: Re: [Openvpn-users] Possible to drop port scan packets?
> To: openvpn-users@lists.sourceforge.net
> Message-ID: <52423a4c.8070...@trimble.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 25/09/13 11:16, jack seth wrote:
>> Thanks for the response. Yes I have that implemented. I am running
>> both a TCP and UDP server. Of course it is the TCP that is replying.
>> Actually the port is listed as 'closed' but I want it to appear as
>> 'stealth' (i.e. no response).
>
> Just to reiterate - you can't do that with any TCP application. By
> *definition*, TCP/IP requires a 3-way packet transaction before any
> client (like openvpn client) can even begin to talk to it. So if you
> want openvpn to run over TCP, then you have to accept that anyone can
> "know" you have something running on that port. Of course, they won't be
> able to tell just what TCP service is running on it (it isn't smtp,
> http, https, etc) - but they will know something's there
>
> PS: either your scanner is broken, or you actually don't have it running
> on TCP. If scanning a TCP port returns "closed", that 100% means
> there's nothing running on it (ignoring firewall rules that limit by ip
> address). It *must* return "open" for any of your openvpn clients to
> ever be able to use it
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>


Yeah, I would have thought it would be 'open' too but it says 'closed'.  It has 
been a while since I have tested this from outside my lan.  I'll test it again 
to be sure it is working but it used to work and I haven't made any config 
changes.  In a way this partially prompted the original question because if the 
scan says 'closed' why can't openvpn just not respond.  BTW, it's not my 
scanner, it's a scan that many, many people have used. :)   
   
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Openvpn gui causes internet to disconnect

[jack seth]

I am running Openvpn gui v5 that I recently upgraded. I noticed that it wasn't 
saving the log when it connected.  So I made the shortcut run as administrator. 
 That cured the loggin problem.  But it causes the internet connect to drop 
after a few seconds.  I stay connected fine if I don't run as administrator.  
Any suggestions?  This is on Windows 7 ultimate.
 
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN Security

[jack seth]

> Message: 2
> Date: Thu, 17 Oct 2013 17:45:34 -0400
> From: "Sumit Dahiya" 
> Subject: Re: [Openvpn-users] OpenVPN Security
> To: 
> Message-ID: <000901cecb82$367ecdf0$a37c69d0$@eistech.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Thanks for the comment. I should have mentioned that we are also using the
> "dhcp-option DNS" directive. So remote employees will be routed through our
> corporate DNS server when they are connected to the OpenVPN server.
>
> As soon as they disconnect, they are at the mercy of the public WiFi DNS at
> Starbucks (or whetever network they are on).
>
>
>
> -Original Message-
> From: Davide Brini [mailto:dave...@gmx.com]
> Sent: Thursday, October 17, 2013 4:54 AM
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN Security
>
> On Wed, 16 Oct 2013 22:14:39 -0400, "Sumit Dahiya"
>  wrote:
>
>> I agree there is no such thing as 100% security. Therefore, I am
>> trying to make my VPN users as less vulnerable as possible.
>>
>> If I do not use the "redirect gateway" parameter then users would be
>> relying on target website's SSL implementation and their encryption
>> strategies. If there are some problems with certificates etc. (or
>> holes in security otherwise) then my users will potentially become
>> vulnerable to local eavesdroppers sniffing packets over the public WiFi.
>
> It depends. The *target* website SSL implementation, unless it's in your
> network, isn't going to change, whether you're redirecting over the VPN or
> connecting directly to it.
>
>> On the other hand, if I DO use the "redirect gateway" then my users
>> will be safe from public WiFi eavesdropping regardless of security
>> holes in websites they are visiting. Please let me know if this is not
> correct.
>
> Yes, since all that will be seen on the wifi network is the VPN traffic.
>
> However as mentioned above, if one of your VPN users is tricked into going
> to the SSL URL of a compromised website and clicks "yes, go ahead" in the
> browser, the fact that their traffic is being redirected over the VPN or not
> isn't going to make a difference (unless you have "something" in your
> network that would detect or prevent that, which is unlikely).
>
> Another thing to consider is which DNS server(s) your users will use while
> connected to the VPN. If you redirect all their traffic to the VPN server,
> but let them continue to use the DNS server(s) they got from DHCP in the
> hotspot or wherever they are, then the owners of the wifi network can
> obviously mount all sorts of attacks, VPN or not. So one thing you could do
> is instruct the clients to use a DNS server that is internal to your network
> (or one that you trust) while connected to the VPN. How to do this is
> client- and operating system- specific, but it can generally be done, see
> the --dhcp-option directive. (Of course, this doesn't apply if the user
> isn't connected to the VPN, but that is out of the scope of this discussion
> anyway.)
>
>

Is this the correct syntax for this option? "--dhcp-option DNS 192.168.1.1"  
Can it be used without the --ip-win32 command?  
 
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How to use the --dhcp-option parameter?

[jack seth]

Is this the correct syntax for this option? "--dhcp-option DNS 192.168.1.1"  
Can it be used without the --ip-win32 command?  
 
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Why can't I access my modem from the outside?

[jack seth]

Here is my setup.  My dsl modem is attached to the WAN port of my router.  
Vlan2 is the WAN port interface.  Vlan2 has been assigned an IP address 
(192.168.1.253) in the same subnet as the modem to allow access.  This rule is 
used to make it work 'iptables -I POSTROUTING -t nat -o vlan2 -d 192.168.1.254 
-j MASQUERADE'  With this setup from inside my lan (on a different subnet) I 
can still access the dsl modem.   Tap0 is my openvpn interface.  It is part of 
the bridge 'br0' and gets assigned an ip address within the same subnet as my 
lan.   Effectively, when using Openvpn I become part of my lan and can access 
lan resources.  So far so good. Here is the problem.  When testing openvpn from 
public wifi, I can't access the dsl modem.  I am on my lan as I can access 
other things.  I can access my dsl modem testing openvpn from inside my lan, 
just not from the outside.  When I remotely connect, I want EVERYTHING to be as 
if I were on my lan.  I don't get why this doesn't work.  Can someone help me 
figure this out?   
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Why can't I access my modem from the outside?

[jack seth]

> From: bird_...@hotmail.com
> To: openvpn-users@lists.sourceforge.net
> Subject: Why can't I access my modem from the outside?
> Date: Fri, 1 Nov 2013 18:23:12 +
>
> Here is my setup.  My dsl modem is attached to the WAN port of my router.  
> Vlan2 is the WAN port interface.  Vlan2 has been assigned an IP address 
> (192.168.1.253) in the same subnet as the modem to allow access.  This rule 
> is used to make it work 'iptables -I POSTROUTING -t nat -o vlan2 -d 
> 192.168.1.254 -j MASQUERADE'  With this setup from inside my lan (on a 
> different subnet) I can still access the dsl modem.   Tap0 is my openvpn 
> interface.  It is part of the bridge 'br0' and gets assigned an ip address 
> within the same subnet as my lan.   Effectively, when using Openvpn I become 
> part of my lan and can access lan resources.  So far so good. Here is the 
> problem.  When testing openvpn from public wifi, I can't access the dsl 
> modem.  I am on my lan as I can access other things.  I can access my dsl 
> modem testing openvpn from inside my lan, just not from the outside.  When I 
> remotely connect, I want EVERYTHING to be as if I were on my lan.  I don't 
> get why this doesn't work.  Can someone help me figure this out?


I figured it out.  Sometimes the redirect-gateway command isn't successful so 
my packets are not being sent over the vpn.  Is there a way to ensure that this 
has worked before the vpn connection is established or at least increase the 
odds?  I would hate to have to check the log to be sure it worked before I 
started using the vpn.  
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Options available for --auth

[jack seth]

Can someone please tell me the options available for --auth?  I know the 
default is SHA1.  What else is available?  This info does not seem to be easily 
available.   
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

[jack seth]

I can't connect to my openvpn server using the option 'tls-cipher 
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'.  This is the only change I made to the 
server and client configs.  They were working perfectly before this.  Here are 
the relevant log info

Client log
Sun Nov 03 21:00:26 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] 
[PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Sun Nov 03 21:00:26 2013 MANAGEMENT: TCP Socket listening on 
[AF_INET]127.0.0.1:25340
Sun Nov 03 21:00:26 2013 Need hold release from management interface, waiting...
Sun Nov 03 21:00:26 2013 MANAGEMENT: Client connected from 
[AF_INET]127.0.0.1:25340
Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'state on'
Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'log all on'
Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold off'
Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold release'
Sun Nov 03 21:00:27 2013 Control Channel Authentication: using 'c:\Program 
Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file
Sun Nov 03 21:00:27 2013 Outgoing Control Channel Authentication: Using 256 bit 
message hash 'SHA256' for HMAC authentication
Sun Nov 03 21:00:27 2013 Incoming Control Channel Authentication: Using 256 bit 
message hash 'SHA256' for HMAC authentication
Sun Nov 03 21:00:27 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,RESOLVE,,,
Sun Nov 03 21:00:27 2013 UDPv4 link local: [undef]
Sun Nov 03 21:00:27 2013 UDPv4 link remote: [AF_INET]**.**.**.232:1194
Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,WAIT,,,
Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,AUTH,,,
Sun Nov 03 21:00:27 2013 TLS: Initial packet from [AF_INET]**.**.**.232:1194, 
sid=cc4ea058 9f0a9c59
Sun Nov 03 21:00:57 2013 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Nov 03 21:00:57 2013 SIGUSR1[soft,ping-restart] received, process restarting
Sun Nov 03 21:00:57 2013 
MANAGEMENT:>STATE:1383534057,RECONNECTING,ping-restart,,
Sun Nov 03 21:00:57 2013 Restart pause, 2 second(s)
Sun Nov 03 21:00:58 2013 SIGTERM[hard,init_instance] received, process exiting
Sun Nov 03 21:00:58 2013 MANAGEMENT:>STATE:1383534058,EXITING,init_instance,,

Server log
Wed Dec 31 18:00:59 1969 OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] 
[LZO] [EPOLL] [MH] [IPv6] built on Oct 22 2013
-
-
Sun Nov  3 20:59:29 2013 Initialization Sequence Completed
Sun Nov  3 21:00:26 2013 192.168.1.116:51126 TLS: Initial packet from 
[AF_INET]192.168.1.116:51126, sid=9edfecdb 4157f6ff
Sun Nov  3 21:00:26 2013 192.168.1.116:51126 TLS_ERROR: BIO read 
tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193)
Sun Nov  3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS object -> incoming 
plaintext read error
Sun Nov  3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS handshake failed
Sun Nov  3 21:00:26 2013 192.168.1.116:51126 SIGUSR1[soft,tls-error] received, 
client-instance restarting


What does the TLS error mean? 
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

[jack seth]

> Date: Mon, 4 Nov 2013 14:55:53 +0100
> From: openvpn.l...@topphemmelig.net
> To: bird_...@hotmail.com
> Subject: Re: [Openvpn-users] Can't connect using tls-cipher 
> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
>
> On 04/11/13 04:17, jack seth wrote:
>> I can't connect to my openvpn server using the option 'tls-cipher 
>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I made to the 
>> server and client configs. They were working perfectly before this. Here are 
>> the relevant log info
>>
>> Client log
>> Sun Nov 03 21:00:26 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] 
>> [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
>> Enter Management Password:
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: TCP Socket listening on 
>> [AF_INET]127.0.0.1:25340
>> Sun Nov 03 21:00:26 2013 Need hold release from management interface, 
>> waiting...
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: Client connected from 
>> [AF_INET]127.0.0.1:25340
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'state on'
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'log all on'
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold off'
>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold release'
>> Sun Nov 03 21:00:27 2013 Control Channel Authentication: using 'c:\Program 
>> Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file
>> Sun Nov 03 21:00:27 2013 Outgoing Control Channel Authentication: Using 256 
>> bit message hash 'SHA256' for HMAC authentication
>> Sun Nov 03 21:00:27 2013 Incoming Control Channel Authentication: Using 256 
>> bit message hash 'SHA256' for HMAC authentication
>> Sun Nov 03 21:00:27 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,RESOLVE,,,
>> Sun Nov 03 21:00:27 2013 UDPv4 link local: [undef]
>> Sun Nov 03 21:00:27 2013 UDPv4 link remote: [AF_INET]**.**.**.232:1194
>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,WAIT,,,
>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,AUTH,,,
>> Sun Nov 03 21:00:27 2013 TLS: Initial packet from 
>> [AF_INET]**.**.**.232:1194, sid=cc4ea058 9f0a9c59
>> Sun Nov 03 21:00:57 2013 [UNDEF] Inactivity timeout (--ping-restart), 
>> restarting
>> Sun Nov 03 21:00:57 2013 SIGUSR1[soft,ping-restart] received, process 
>> restarting
>> Sun Nov 03 21:00:57 2013 
>> MANAGEMENT:>STATE:1383534057,RECONNECTING,ping-restart,,
>> Sun Nov 03 21:00:57 2013 Restart pause, 2 second(s)
>> Sun Nov 03 21:00:58 2013 SIGTERM[hard,init_instance] received, process 
>> exiting
>> Sun Nov 03 21:00:58 2013 MANAGEMENT:>STATE:1383534058,EXITING,init_instance,,
>>
>> Server log
>> Wed Dec 31 18:00:59 1969 OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
>> (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 22 2013
>> -
>> -
>> Sun Nov 3 20:59:29 2013 Initialization Sequence Completed
>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS: Initial packet from 
>> [AF_INET]192.168.1.116:51126, sid=9edfecdb 4157f6ff
>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS_ERROR: BIO read 
>> tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193)
>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS object -> 
>> incoming plaintext read error
>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS handshake failed
>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 SIGUSR1[soft,tls-error] 
>> received, client-instance restarting
>>
>>
>> What does the TLS error mean?
>
> Seems the OpenSSL library on your server isn't compiled with error strings
> enabled. But you can use 'openssl errstr' on another computer to figure out 
> this.
>
> $ openssl errstr 1408A0C1
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> So this sounds like there's a mismatch between your server and client config
> in regards to cipher parameters.
>
>
> --
> kind regards,
>
> David Sommerseth


Thanks for the response.  I'm confused by this because I am using the exact 
same line in the server config and the client config??? 
  
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

[jack seth]

> Date: Tue, 5 Nov 2013 00:51:33 +0100
> From: openvpn.l...@topphemmelig.net
> To: bird_...@hotmail.com
> CC: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Can't connect using tls-cipher 
> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
>
> On 04/11/13 21:59, jack seth wrote:
>> 
>>> Date: Mon, 4 Nov 2013 14:55:53 +0100
>>> From: openvpn.l...@topphemmelig.net
>>> To: bird_...@hotmail.com
>>> Subject: Re: [Openvpn-users] Can't connect using tls-cipher 
>>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
>>>
>>> On 04/11/13 04:17, jack seth wrote:
>>>> I can't connect to my openvpn server using the option 'tls-cipher 
>>>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I made to 
>>>> the server and client configs. They were working perfectly before this. 
>>>> Here are the relevant log info
>>>>
>>>> Client log
>>>> Sun Nov 03 21:00:26 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] 
>>>> [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
>>>> Enter Management Password:
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: TCP Socket listening on 
>>>> [AF_INET]127.0.0.1:25340
>>>> Sun Nov 03 21:00:26 2013 Need hold release from management interface, 
>>>> waiting...
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: Client connected from 
>>>> [AF_INET]127.0.0.1:25340
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'state on'
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'log all on'
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold off'
>>>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold release'
>>>> Sun Nov 03 21:00:27 2013 Control Channel Authentication: using 'c:\Program 
>>>> Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file
>>>> Sun Nov 03 21:00:27 2013 Outgoing Control Channel Authentication: Using 
>>>> 256 bit message hash 'SHA256' for HMAC authentication
>>>> Sun Nov 03 21:00:27 2013 Incoming Control Channel Authentication: Using 
>>>> 256 bit message hash 'SHA256' for HMAC authentication
>>>> Sun Nov 03 21:00:27 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
>>>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,RESOLVE,,,
>>>> Sun Nov 03 21:00:27 2013 UDPv4 link local: [undef]
>>>> Sun Nov 03 21:00:27 2013 UDPv4 link remote: [AF_INET]**.**.**.232:1194
>>>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,WAIT,,,
>>>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,AUTH,,,
>>>> Sun Nov 03 21:00:27 2013 TLS: Initial packet from 
>>>> [AF_INET]**.**.**.232:1194, sid=cc4ea058 9f0a9c59
>>>> Sun Nov 03 21:00:57 2013 [UNDEF] Inactivity timeout (--ping-restart), 
>>>> restarting
>>>> Sun Nov 03 21:00:57 2013 SIGUSR1[soft,ping-restart] received, process 
>>>> restarting
>>>> Sun Nov 03 21:00:57 2013 
>>>> MANAGEMENT:>STATE:1383534057,RECONNECTING,ping-restart,,
>>>> Sun Nov 03 21:00:57 2013 Restart pause, 2 second(s)
>>>> Sun Nov 03 21:00:58 2013 SIGTERM[hard,init_instance] received, process 
>>>> exiting
>>>> Sun Nov 03 21:00:58 2013 
>>>> MANAGEMENT:>STATE:1383534058,EXITING,init_instance,,
>>>>
>>>> Server log
>>>> Wed Dec 31 18:00:59 1969 OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
>>>> (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 22 2013
>>>> -
>>>> -
>>>> Sun Nov 3 20:59:29 2013 Initialization Sequence Completed
>>>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS: Initial packet from 
>>>> [AF_INET]192.168.1.116:51126, sid=9edfecdb 4157f6ff
>>>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS_ERROR: BIO read 
>>>> tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193)
>>>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS object -> 
>>>> incoming plaintext read error
>>>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS handshake failed
>>>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 SIGUSR1[soft,tls-error] 
>>>> received, client-instance restarting
>>>>
>>>>
>>>> What does the TLS error mean?
>>>
>>> Seems the OpenSSL library on your server isn't compiled with error

Re: [Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

[jack seth]

> Message: 1
> Date: Mon, 04 Nov 2013 13:37:31 -0600
> From: Josh Cepek 
> Subject: Re: [Openvpn-users] Can't connect using tls-cipher
> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
> To: openvpn-users@lists.sourceforge.net
> Message-ID: 
> Content-Type: text/plain; charset=ISO-8859-1
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 11/03/13 21:17, jack seth wrote:
>> I can't connect to my openvpn server using the option 'tls-cipher
>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I
>> made to the server and client configs. They were working perfectly
>> before this. Here are the relevant log info
>
> You cannot arbitrarily change the authentication mode of TLS without
> understanding what you have done and taken care to supply the necessary
> authentication components.
>
> The short answer for you: don't use any TLS cipher-suites unless they
> begin with TLS-DHE-RSA. More details below.
>
> RSA is one type of asymmetric encryption that uses RSA keypairs to
> perform the cryptographic verification between peers. OpenVPN used in a
> TLS mode with RSA requires RSA keypairs and valid X.509 certificates as
> the basis for authentication. If you intended to user client-based
> username/password authentication, read about --auth-user-pass-verify and
> - --auth-user-pass in the manpage.
>
> By selecting an SRP authentication method, you are asking for a
> completely different mode of operation that is based on establishing a
> session encryption key based on passwords. This does not work in
> OpenVPN's context because the concept of a client or server's commonName
> is bound to the X.509 certificate field by the same name. Thus, you
> cannot use SRP with openvpn without significant modification to the
> openvpn program.
>
> You said this was "the only change you made" and this is why you get TLS
> negotiation errors: SRP is completely different than certificates, and
> you are apparently using RSA-based X.509 certificates and then
> attempting to use a non-certificate based TLS authentication model. Put
> another way: you are trying to put a square peg in a round hole.
>
> Stick with the TLS ciphers that begin with TLS-DHE-RSA. DHE (an
> Ephemeral Diffie-Hellman exchange) provides forward-secrecy, and RSA is
> required when you have RSA keypairs. DSA keys are another option, but
> are less secure as spec requires them to be exactly 1024 bits (general
> advice today is to use 2048-bit RSA keys.) As noted above, you cannot
> "just enable" a DSA mode without actually generating DSA keypairs and
> associated signed certificates.
>
> I'll also note that unless you are running a git-master build of
> openvpn, you are currently limited to TLSv1.0 cipher-suites;
> specifically, this means you cannot (with openvpn 2.3.2 or earlier) use
> any TLS cipher-suites that use GCM. A git-master commit adds
> TLS-negotiation support if you wish to try out these ciphers. People
> wishing to review this feature under Windows can also see an unofficial
> pre-release build project I started here:
> http://sourceforge.net/projects/openvpnpreviews/
>
> - --
> Josh
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.20 (GNU/Linux)
>
> iQGcBAEBAgAGBQJSd/d6AAoJENcx2Xpgb9RjL5UMAJjxsPIQJOVl4Yb9txPiZE6z
> NoZwsq7rR93Kmlm1M77qnu15gtFdcfzMbq15fmRoNeLDEYNLOzQZD6ziV77tqHrK
> tzIiNarmfmtGezj9JKfzTykZZ4QVxHDzMYxXDiKxcALVlRrxPY852ZoD1RAhvWxg
> DmH2AXAc0h2YmroHYYiQ1uoKd9bbL0mNdTm2FkbbDgNS/cm7lapyUWzjNkr8PbDm
> 2FzmNuk0JQmWeSKWTAKcJ6szMYpxF6rMybE8SmwzxzTS8xbOr+TPrV1phegQzjG2
> j0gZaD5hS4AgRcGqcBSVcpFQ+DTZYfJKmJWGCjDrdqLT7ZchS0iP8ULBuToL5jHy
> nDDCXFzuS3BN6ZfWYZ6752b6tfyPQER8uCvvM6i6vMhg7YcEMlwxeJ1pREDQnZji
> MOV0oyC9u+WN0gD7Bw+u3204GX/mAo6FbZYgAHznnWSIUusadrTPT5vzH5KtxpVG
> 00qczb5eiwkttt4k1b7KJafM/naVdroTFsDmP4PLsg==
> =jBAy
> -END PGP SIGNATURE-

Thanks Josh for the education.  I will try one of the other methods you 
suggested.  I just chose the one I did because it was at the top of the list on 
the server.  Is there a site or document that one could read that discusses 
some of these nuances?
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn-users Digest, Vol 90, Issue 4

[jack seth]

>
> Message: 1
> Date: Mon, 04 Nov 2013 13:37:31 -0600
> From: Josh Cepek 
> Subject: Re: [Openvpn-users] Can't connect using tls-cipher
> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
> To: openvpn-users@lists.sourceforge.net
> Message-ID: 
> Content-Type: text/plain; charset=ISO-8859-1
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 11/03/13 21:17, jack seth wrote:
>> I can't connect to my openvpn server using the option 'tls-cipher
>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I
>> made to the server and client configs. They were working perfectly
>> before this. Here are the relevant log info
>
> You cannot arbitrarily change the authentication mode of TLS without
> understanding what you have done and taken care to supply the necessary
> authentication components.
>
> The short answer for you: don't use any TLS cipher-suites unless they
> begin with TLS-DHE-RSA. More details below.
>
> RSA is one type of asymmetric encryption that uses RSA keypairs to
> perform the cryptographic verification between peers. OpenVPN used in a
> TLS mode with RSA requires RSA keypairs and valid X.509 certificates as
> the basis for authentication. If you intended to user client-based
> username/password authentication, read about --auth-user-pass-verify and
> - --auth-user-pass in the manpage.
>
> By selecting an SRP authentication method, you are asking for a
> completely different mode of operation that is based on establishing a
> session encryption key based on passwords. This does not work in
> OpenVPN's context because the concept of a client or server's commonName
> is bound to the X.509 certificate field by the same name. Thus, you
> cannot use SRP with openvpn without significant modification to the
> openvpn program.
>
> You said this was "the only change you made" and this is why you get TLS
> negotiation errors: SRP is completely different than certificates, and
> you are apparently using RSA-based X.509 certificates and then
> attempting to use a non-certificate based TLS authentication model. Put
> another way: you are trying to put a square peg in a round hole.
>
> Stick with the TLS ciphers that begin with TLS-DHE-RSA. DHE (an
> Ephemeral Diffie-Hellman exchange) provides forward-secrecy, and RSA is
> required when you have RSA keypairs. DSA keys are another option, but
> are less secure as spec requires them to be exactly 1024 bits (general
> advice today is to use 2048-bit RSA keys.) As noted above, you cannot
> "just enable" a DSA mode without actually generating DSA keypairs and
> associated signed certificates.
>
> I'll also note that unless you are running a git-master build of
> openvpn, you are currently limited to TLSv1.0 cipher-suites;
> specifically, this means you cannot (with openvpn 2.3.2 or earlier) use
> any TLS cipher-suites that use GCM. A git-master commit adds
> TLS-negotiation support if you wish to try out these ciphers. People
> wishing to review this feature under Windows can also see an unofficial
> pre-release build project I started here:
> http://sourceforge.net/projects/openvpnpreviews/
>
> - --
> Josh
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.20 (GNU/Linux)
>
> iQGcBAEBAgAGBQJSd/d6AAoJENcx2Xpgb9RjL5UMAJjxsPIQJOVl4Yb9txPiZE6z
> NoZwsq7rR93Kmlm1M77qnu15gtFdcfzMbq15fmRoNeLDEYNLOzQZD6ziV77tqHrK
> tzIiNarmfmtGezj9JKfzTykZZ4QVxHDzMYxXDiKxcALVlRrxPY852ZoD1RAhvWxg
> DmH2AXAc0h2YmroHYYiQ1uoKd9bbL0mNdTm2FkbbDgNS/cm7lapyUWzjNkr8PbDm
> 2FzmNuk0JQmWeSKWTAKcJ6szMYpxF6rMybE8SmwzxzTS8xbOr+TPrV1phegQzjG2
> j0gZaD5hS4AgRcGqcBSVcpFQ+DTZYfJKmJWGCjDrdqLT7ZchS0iP8ULBuToL5jHy
> nDDCXFzuS3BN6ZfWYZ6752b6tfyPQER8uCvvM6i6vMhg7YcEMlwxeJ1pREDQnZji
> MOV0oyC9u+WN0gD7Bw+u3204GX/mAo6FbZYgAHznnWSIUusadrTPT5vzH5KtxpVG
> 00qczb5eiwkttt4k1b7KJafM/naVdroTFsDmP4PLsg==
> =jBAy
> -END PGP SIGNATURE-
>

Well I switched to TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 and I still can't 
connect.  There are no errors on the server log but the client log says 
"TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL 
routines:SSL3_CLIENT_HELLO:no ciphers available"  I don't really understand 
this because TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 is showing as available when I 
run the --show-tls option. 
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Help me figure out how to use tls-cipher

[jack seth]

I have the following command in both the server and client configs 'tls-cipher 
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'.  The server starts up fine with this so I 
think the server side is good.  Both are running Openvpn 2.3.4.  Server is 
linux on my router, client is on a Windows 7 Ultimate laptop.  Running the 
--show-tls command on the server and the client show the cipher as available.  
My client config connects fine with the 'tls-cipher' command commented out.  
Here is a portion of the client log:

Thu Oct 16 22:10:09 2014 TLS_ERROR: BIO read tls_read_plaintext error: 
error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
Thu Oct 16 22:10:09 2014 TLS Error: TLS object -> incoming plaintext read error
Thu Oct 16 22:10:09 2014 TLS Error: TLS handshake failed

Help!
  --
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Help me figure out how to use tls-cipher

[jack seth]

Thanks for the reply.  That fixed my problem.  However, I have another problem. 
 I can't connect using the 'mute-replay-warnings' setting.  I have tried it in 
the server & client config files and just the client config file and the client 
won't connect.  Actually, it looks like it doesn't even get started.  The 
screen is blank with no text at all.  Can this be fixed or is it some kind of 
bug?

From: stef...@karger.me
Date: Fri, 17 Oct 2014 09:33:56 +0200
Subject: Re: [Openvpn-users] Help me figure out how to use tls-cipher
To: bird_...@hotmail.com
CC: openvpn-users@lists.sourceforge.net

Hi,

On Fri, Oct 17, 2014 at 5:13 AM, jack seth  wrote:



I have the following command in both the server and client configs 'tls-cipher 
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'.  The server starts up fine with this so I 
think the server side is good.  Both are running Openvpn 2.3.4.  Server is 
linux on my router, client is on a Windows 7 Ultimate laptop.  Running the 
--show-tls command on the server and the client show the cipher as available.  
My client config connects fine with the 'tls-cipher' command commented out.  
Here is a portion of the client log:

Thu Oct 16 22:10:09 2014 TLS_ERROR: BIO read tls_read_plaintext error: 
error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
Thu Oct 16 22:10:09 2014 TLS Error: TLS object -> incoming plaintext read error
Thu Oct 16 22:10:09 2014 TLS Error: TLS handshake failed

SHA256 digests are only supported by TLSv1.2, whereas OpenVPN by default only 
does TLSv1.0 (because quite some corner cases break when enabling 1.2, 
work-in-progress). To enable TLSv1.2, add 'tls-version-min 1.0' to both server 
and client config file.

On a final note, tls-cipher is an expert feature for people who really know 
what their doing and how OpenSSL reacts to specifying tls ciphers.  Not 
properly understanding what it does might result in a *less* secure connection. 
Note that OpenVPN does not 'fall back' to insecure TLS/SSL versions when the 
connection fails, like browser do, and thus is not vulnerable to typical 
TLS/SSL fallback attacks. Furthermore, protecting your TLS handshake using 
tls-auth (see man page) protects you against attacks on the TLS implementation. 
Given these facts, is is almost always wiser to let OpenSSL decide on the tls 
cipher to use.

-Steffan
  --
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Is it possible to get Openvpn to act like a bridge?

[jack seth]

I don't mean be part of a bridge.  For example, different interfaces assigned 
to it would become a vpn only interface.  
  --
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How can I connect to two servers simultaneously?

[jack seth]

I would like to connect to a vpn service (for example privateinternetaccess) 
all internet traffic except for when I am connecting to my home network.  I 
have an openvpn server running at home that I would be connecting to.  How can 
I do something like this without having to alternate between sessions?
  --
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Can't connect using the 'mute-replay-warnings' setting

[jack seth]

 I can't connect using the 'mute-replay-warnings' setting.  I have tried
 it in the server & client config files and just the client config 
file and the client won't connect.  Actually, it looks like it doesn't 
even get started.  The screen is blank with no text at all.  Can this be
 fixed or is it some kind of bug? --
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How can I consistently get redirect-gateway def1 to work?

[jack seth]

I have my server TAP interface bridged to my lan so that when my client 
connects it gets assigned an IP in the same subnet as my lan.  Sometimes 
'redirect-gateway def1' creates the proper routes and sometimes it doesn't.  
During my testing, I manually created the same functionality as 
'redirect-gateway def1' by using these commands

route 0.0.0.0 128.0.0.0 192.168.200.1 (This command and the one below 
effectively replace the default routes to send all traffic to my server)
route 128.0.0.0 128.0.0.0 192.168.200.1
route 192.168.200.0 255.255.255.0 192.168.200.1 (This is a route for the lan 
traffic)
route .***.com 255.255.255.255 net_gateway (This is a route to my server 
from the public internet)


The above seems to work but I would like to use 'redirect-gateway def1' to 
accomplish this, if not that then the above commands using the variables. Like 
this

route 0.0.0.0 128.0.0.0 vpn_gateway
route 128.0.0.0 128.0.0.0 vpn_gateway
route 192.168.200.0 255.255.255.0 vpn_gateway
route remote_host 255.255.255.255 net_gateway


It almost seems like it is a timing issue. As if the client doesn't have all 
the variables before it tries to setup all the routes. Is it possible to delay 
this action somehow so the variables get populated before the the routes are 
set?   Client is Windows 7 running Openvpn 2.3.4.   Here are the configs, log 
and route info

Client log

Wed Nov 05 17:29:01 2014 us=838318 RESOLVE: Cannot parse IP address: net_gateway
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: failed to parse/resolve route 
for host/network: remote_host
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: vpn_gateway undefined
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: failed to parse/resolve route 
for host/network: 0.0.0.0
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: vpn_gateway undefined
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: failed to parse/resolve route 
for host/network: 128.0.0.0
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: vpn_gateway undefined
Wed Nov 05 17:29:01 2014 us=838318 OpenVPN ROUTE: failed to parse/resolve route 
for host/network: 192.168.200.0

Client config

client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
#auth-user-pass
#auth-nocache
float
#user nobody
#group nobody
cipher AES-256-CBC
auth SHA256
tls-client
tls-version-min 1.0
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
route-gateway dhcp
route-delay 5
#route-method exe #Default is 'adaptive'
redirect-gateway def1
#route ..** 255.255.255.255 net_gateway
#route 0.0.0.0 128.0.0.0 vpn_gateway
#route 128.0.0.0 128.0.0.0 vpn_gateway
#route 192.168.200.0 255.255.255.0 vpn_gateway
ca "c:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "c:\\Program Files\\OpenVPN\\config\\hdx.crt"
key "c:\\Program Files\\OpenVPN\\config\\hdx.key"
tls-auth "c:\\Program Files\\OpenVPN\\config\\ta.key" 1
remote-cert-tls server
comp-lzo
verb 3


remote ..**
proto udp
port 1194
#mute-replay-warnings



remote ..**
proto tcp-client
port 1195


Server config

mode server  
proto udp 
port 1194 
dev tap0  
script-security 2
keepalive 15 60
daemon
verb 3 
comp-lzo 
persist-key
persist-tun
user nobody
group nobody
cipher AES-256-CBC
auth SHA256
#max-clients 3
client-to-client 
tls-server 
tls-version-min 1.0
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tls-auth /opt/downloads/openvpn/ta.key 0 
ca /opt/downloads/openvpn/ca.crt 
dh /opt/downloads/openvpn/dh4096.pem  
cert /opt/downloads/openvpn/server.crt  
key /opt/downloads/openvpn/server.key


Route table before VPN connection

IPv4 Route Table
===
Active Routes:
Network DestinationNetmask  Gateway   Interface  Metric
  0.0.0.0  0.0.0.0  172.31.98.1172.31.98.255 30
127.0.0.0255.0.0.0 On-link 127.0.0.1306
127.0.0.1  255.255.255.255 On-link 127.0.0.1306
  127.255.255.255  255.255.255.255 On-link 127.0.0.1306
  169.254.0.0  255.255.0.0 On-link 172.31.98.255 31
  169.254.255.255  255.255.255.255 On-link 172.31.98.255286
  172.31.98.0255.255.254.0 On-link 172.31.98.255286
172.31.98.255  255.255.255.255 On-link 172.31.98.255286
172.31.99.255  255.255.255.255 On-link 172.31.98.255286
   195.93.243.115  255.255.255.255192.168.200.1172.31.98.255 31
224.0.0.0240.0.0.0 On-link 127.0.0.1306
224.0.0.0240.0.0.0 On-link 172.31.98.255286
  255.255.255.255  255.255.255.255 On-link 127.0.0.1306
  255.255.255.255  255.255.255.255 On-link 172.31.98.255286
===

Route table after VPN connection

IPv4 Route Tabl

[Openvpn-users] How can I use ECDSA keys for OpenVPN?

[jack seth]

This is on Windows 7.  Before I used the 'easy-rsa' script for RSA keys.  Now I 
would like to know how to generate CA, server, client, etc. using ECDSA keys?  
Thanks!
  --
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Can you control what kind of secret key you create for tls-auth?

[jack seth]

Is it possible to dictate the parameters of the secret key that is generated?  
If so, how?  The openvpn documentation just gives this command 
'openvpn --genkey --secret ta.key'  What kind and size of key does this command 
generate? --
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] What is the password for when generating keys?

[jack seth]

Even when I am using the 'build-key' and 'build-key-server' batch files (i.e. 
ones without 'pass' in them), when I get toward the end of putting the 
parameters in it asks for a password.  What's this for?  Should I actually 
enter one?
  --
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] What is the password for when generating keys?

[jack seth]

Upon further inspection, I don't think this is the password for your private 
key.  The screen says "Please enter the following 'extra' attributes to be sent 
with your certificate request.  A challenge password [] An optional company 
name []"  What is this password for?

Also, I am wondering if it is a good idea to protect the CA private key and 
client private keys with a password?  What are the pros and cons?   I have read 
that it wouldn't be good to protect the server's private key because it 
couldn't start up without putting in the password.

Date: Mon, 22 Dec 2014 17:48:34 +0200
From: pbychik...@yahoo.com
To: bird_...@hotmail.com; openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] What is the password for when generating keys?


  

  
  
You can protect your private key with password - an additional
measure of security


  Best regards,
Pavel


   Original Message 

  Subject: [Openvpn-users] What is the password for when
  generating keys?

  From: jack seth 

  To: openvpn-users@lists.sourceforge.net
  

  Date: 22.12.2014 16:27



  
  Even when I am using the 'build-key' and
'build-key-server' batch files (i.e. ones without 'pass' in
them), when I get toward the end of putting the parameters in it
asks for a password.  What's this for?  Should I actually enter
one?

  
  

  
  

  
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
  

  
  

  ___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] What is the password for when generating keys?

[jack seth]

I assume you meant a CA private key should always be protected by a password 
correct?  Does using a password for the CA (or any key) require you to encrypt 
the key?  How can a user remove a password if you have encrypted the client 
private key?

Date: Tue, 23 Dec 2014 00:38:14 +0100
From: janj...@nikhef.nl
To: bird_...@hotmail.com; pbychik...@yahoo.com; 
openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] What is the password for when generating keys?


  

  
  
On 22/12/14 22:30, jack seth wrote:



  
  Upon further inspection, I don't think this is the
password for your private key.  The screen says "Please enter
the following 'extra' attributes to be sent with your
certificate request.  A challenge password [] An optional
company name []"  What is this password for?



  

this is the 'challenge' password and is seldomly used; you can
protect your certificate REQUEST using challenge password so that
only the right CA can generate a certificate for it. This would
protect the end user from receiving certificates signed by a
malicious CA




  Also, I am wondering if it is a good idea to
protect the CA private key and client private keys with a
password?  What are the pros and cons?   I have read that it
wouldn't be good to protect the server's private key because it
couldn't start up without putting in the password.

  



the CA private key should ALWAYS be protected using a private key -
it's the most crucial part of your Public Key Infrastructure. It is
also advisable to store the CA private key on a separate host - not
on the client, not on the server.

As for protecting client private keys using a password: it is a good
security practice but a user can always remove the password, so
don't think it adds THAT much security.



HTH,



JJK


  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How can I sign a previously created ca.crt?

[jack seth]

Is it possible for me to sign my already created ca.crt with my ca.key?  If so, 
how?
  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Testing with large keys

[jack seth]

I am trying to out my config using 16384 size keys.  I am using my working 
config except for substituting my large keys (still using the same ta.key 
though).  I am getting a 'inactivity timeout' from the server after about 3 
minutes during the TLS handshake.  I have read it will take longer to negotiate 
with these large keys.   How can I extend or disable this timeout on the server?
  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Testing with large keys

[jack seth]

Upon further testing the problem seem to be using DH parameters of 16384 size.  
 Can someone provide some guidance on how I can get the server to extend or 
disable the inactivity timeout?

From: bird_...@hotmail.com
To: openvpn-users@lists.sourceforge.net
Subject: Testing with large keys
Date: Fri, 26 Dec 2014 16:48:09 -0600




I am trying to out my config using 16384 size keys.  I am using my working 
config except for substituting my large keys (still using the same ta.key 
though).  I am getting a 'inactivity timeout' from the server after about 3 
minutes during the TLS handshake.  I have read it will take longer to negotiate 
with these large keys.   How can I extend or disable this timeout on the server?

  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Testing with large keys

[jack seth]

I have tried the 'hand-window' option.  It works for the client config but the 
server side still times out after about 3 minutes or (180 seconds).  So it is 
something on the server side that needs to be disabled I think.

Date: Thu, 1 Jan 2015 13:16:42 +0100
From: janj...@nikhef.nl
To: bird_...@hotmail.com; openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Testing with large keys


  

  
  
On 26/12/14 23:48, jack seth wrote:



  
  I am trying to out my config using 16384 size
keys.  I am using my working config except for substituting my
large keys (still using the same ta.key though).  I am getting a
'inactivity timeout' from the server after about 3 minutes
during the TLS handshake.  I have read it will take longer to
negotiate with these large keys.   How can I extend or disable
this timeout on the server?

  
  

  
  


why anyone would (yet) bother with 16384 bit keys is a mystery to
mee (4096 bit should suffice for the next few years) but I guess
you're looking for the 

  hand-window N

option, where the default value for N is 60 (seconds); increase this
to a larger value to see if that helps.

I would expect the session to die after 1 hour though, as key
renegotiation will also take (too) long. 



HTH,



JJK


  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Testing with large keys

[jack seth]

Could possibly be that.   I ran your command below and I get 180 also.   Is 
there a way to temporarily disable it?  Does this happen on TCP streams?

> Date: Thu, 1 Jan 2015 21:35:33 -0500
> From: xenoph...@godshell.com
> To: bird_...@hotmail.com
> CC: janj...@nikhef.nl; openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Testing with large keys
> 
> -BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> jack seth wrote:
> > I have tried the 'hand-window' option.  It works for the client
> > config but the server side still times out after about 3 minutes or
> > (180 seconds).  So it is something on the server side that needs to
> > be disabled I think.
> 
> Are you hitting some sort of network timer maybe?  Something outside of
> the openVPN system?  For instance, on my system, the default timeout for
> udp streams tracked by iptables is 180 seconds.
> 
> $ sysctl net.netfilter.nf_conntrack_udp_timeout_stream
> net.netfilter.nf_conntrack_udp_timeout_stream = 180
> 
> Maybe that's what you're running into.
> 
> - -- 
> - ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> - ---
> 
> "Any sufficiently advanced magic is indistinguishable from technology."
> - - Niven's Inverse of Clarke's Third Law
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAlSmA/UACgkQ8CjzPZyTUTS07wCfUZb+ndjMPfbFMFws2Y/UFbOM
> yTsAoKEJeMJTC3u2RmEVmOgP4nQ0Yy9V
> =FNKv
> -END PGP SIGNATURE-
  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Testing with large keys

[jack seth]

Well now it timed out in less than 3 minutes.  This is the server openvpn.log

Thu Jan  1 23:15:04 2015 192.168.200.116:50290 TLS: Initial packet from 
[AF_INET]192.168.200.116:50290 (via [AF_INET]192.168.200.1%br0), sid=bfb37b79 
340ac555
Thu Jan  1 23:17:32 2015 192.168.200.116:50290 [UNDEF] Inactivity timeout 
(--ping-restart), restarting
Thu Jan  1 23:17:32 2015 192.168.200.116:50290 SIGUSR1[soft,ping-restart] 
received, client-instance restarting

I can get it to work using a 8192 DH parameters but 16384 is a no go.




> Date: Thu, 1 Jan 2015 22:00:04 -0500
> From: xenoph...@godshell.com
> To: bird_...@hotmail.com
> CC: janj...@nikhef.nl; openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Testing with large keys
> 
> -BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> jack seth wrote:
> > Could possibly be that.   I ran your command below and I get 180 
> > also. Is there a way to temporarily disable it?  Does this happen on 
> > TCP streams?
> 
> That would be for UDP streams.  There are a number of parameters for tcp
> connections ..  Check out the /proc/sys/net/netfilter directory on your
> linux box.
> 
> I wouldn't disable it, but you could determine if that's what the
> problem is by changing the value and verifying if the behavior changes.
>  You can use sysctl to set a new value :
> 
> $ sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=240
> 
> That would change the setting to 240 seconds.  If this ends up being the
> problem, you can make these settings permanent via /etc/sysctl.conf.
> 
> - -- 
> - ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> - ---
> 
> "Any sufficiently advanced magic is indistinguishable from technology."
> - - Niven's Inverse of Clarke's Third Law
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAlSmCbQACgkQ8CjzPZyTUTTjYwCeJ1kdh3XFe3mOXsXHF1nGa2tn
> ehIAnjiX89HjsBPPHzgZCgcrkWbjrk0E
> =w6KA
> -END PGP SIGNATURE-
  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Help encrypting ca.key

[jack seth]

I must be doing something wrong but I can't figure out what it is.  I am trying 
to encrypt my private ca key with this command

openssl rsa -in ca.key -out caencrypted.key -aes256

This works fine but the problem is I don't get the original key back when I 
decrypt it using this command

openssl rsa -in caencrypted.key -out catest.key


catest.key doesn't have the same characters in it as ca.key when looking at 
them in a text editor.   What am I missing here?
  --
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] What size DH parameters for AES256?

[jack seth]

I think I read somewhere that keys should be around 15K bit to match the 
security of AES256.  Do DH parameters need to be just as large?  Easy-RSA makes 
the keys and DH parameters the same bit size.
  --
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] What size DH parameters for AES256?

[jack seth]

> Message: 4
> Date: Sun, 29 Mar 2015 14:12:01 +0200
> From: Steffan Karger 
> Subject: Re: [Openvpn-users] What size DH parameters for AES256?
> To: openvpn-users@lists.sourceforge.net
> Message-ID: <5517ec11.1080...@karger.me>
> Content-Type: text/plain; charset=windows-1252
> 
> On 28-03-15 20:05, jack seth wrote:
> > I think I read somewhere that keys should be around 15K bit to match the
> > security of AES256.  Do DH parameters need to be just as large? 
> > Easy-RSA makes the keys and DH parameters the same bit size.
> 
> That was probably NIST SP 800-57, section 6.5.1 [1], which states
> 15360-bit DH or RSA has the same security level as AES256.  Both finite
> field problems (such as DH) and integer factorization (such as RSA) are
> placed in the same league.  So yes, to achieve an equal security level,
> you should choose your DH group the same size as your RSA modulus.
> 
> On a practical note though, AES256 gives reasonable performance, but 15K
> RSA/DH is _very_ slow.  If you don't care about the time it takes to set
> up a connection (and generate DH group parameters) that is not a
> problem, but for most real-world setups the performance hit is not
> reasonable.
> 
> Also note that the reason to use AES256 is not that a 128-bits search
> space is not enough, but because if powerful quantum computers ever
> become reality, one can use Grover's algorithm [2] to reduce the search
> space to 128 bit.  But, if powerful quantum computers do became reality,
> both RSA and DH are completely broken [3].  Which makes it from my point
> of view very reasonable to choose a security level similar to AES-128
> for your DH parameters or RSA modulus.
> 
> -Steffan
> 
> [1]
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
> 
> [2] https://en.wikipedia.org/wiki/Grover%27s_algorithm
> 
> [3] http://arxiv.org/abs/quant-ph/9508027

What about when you use elliptic curve keys?   These keys are much smaller but 
should you still use DH parameters that match the RSA key size?
  --
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Testing with large keys

[jack seth]

Ok I have been doing some experiments and I can connect using 1 bit DH 
parameters.  Any bigger than that up to at least 13824 I get the following 
'modulus too large' error on the client log:

TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman 
routines:COMPUTE_KEY:modulus too large: error:14098005:SSL 
routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib
Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed

Something interesting/weird also happened.  I tried to test 10001, 10002, and 
10004 bit DH to find the exact place I would get the 'modulus too large' error. 
 But the server log reported the DH parameters being 10008 instead.  I did a 
test at 15104 that gave the same error but then I tried two more times and the 
client just sat at the 'initial packet point' like it does with the 16384 bit 
parameters.  So somewhere between 13824 and 16384 it switches between the error 
above and just sitting there 'frozen'.

Questions: 1. Can the modulus error be cured?  2. Do you think the same modulus 
error is going on when the client appears to freeze with parameters larger than 
13824 or is something else going (i.e. why does it freeze instead of giving the 
'modulus error')?  3. Why does the server log report 10001, 10002, 10004 bit DH 
as 10008?


> From: bird_...@hotmail.com 
> To: xenoph...@godshell.com 
> CC: janj...@nikhef.nl; openvpn-users@lists.sourceforge.net 
> Subject: RE: [Openvpn-users] Testing with large keys 
> Date: Thu, 1 Jan 2015 23:28:32 -0600 
>  
> Well now it timed out in less than 3 minutes.  This is the server openvpn.log 
>  
> Thu Jan  1 23:15:04 2015 192.168.200.116:50290 TLS: Initial packet from  
> [AF_INET]192.168.200.116:50290 (via [AF_INET]192.168.200.1%br0),  
> sid=bfb37b79 340ac555 
> Thu Jan  1 23:17:32 2015 192.168.200.116:50290 [UNDEF] Inactivity  
> timeout (--ping-restart), restarting 
> Thu Jan  1 23:17:32 2015 192.168.200.116:50290  
> SIGUSR1[soft,ping-restart] received, client-instance restarting 
>  
> I can get it to work using a 8192 DH parameters but 16384 is a no go. 
>  
>  
>  
>  
> > Date: Thu, 1 Jan 2015 22:00:04 -0500 
> > From: xenoph...@godshell.com 
> > To: bird_...@hotmail.com 
> > CC: janj...@nikhef.nl; openvpn-users@lists.sourceforge.net 
> > Subject: Re: [Openvpn-users] Testing with large keys 
> > 
> > -BEGIN PGP SIGNED MESSAGE- 
> > Hash: SHA1 
> > 
> > jack seth wrote: 
> >> Could possibly be that. I ran your command below and I get 180 
> >> also. Is there a way to temporarily disable it? Does this happen on 
> >> TCP streams? 
> > 
> > That would be for UDP streams. There are a number of parameters for tcp 
> > connections .. Check out the /proc/sys/net/netfilter directory on your 
> > linux box. 
> > 
> > I wouldn't disable it, but you could determine if that's what the 
> > problem is by changing the value and verifying if the behavior changes. 
> > You can use sysctl to set a new value : 
> > 
> > $ sudo sysctl -w net.netfilter.nf_conntrack_udp_timeout_stream=240 
> > 
> > That would change the setting to 240 seconds. If this ends up being the 
> > problem, you can make these settings permanent via /etc/sysctl.conf. 
> > 
> > - -- 
> > - --- 
> > Jason 'XenoPhage' Frisvold 
> > xenoph...@godshell.com 
> > - --- 
> > 
> > "Any sufficiently advanced magic is indistinguishable from technology." 
> > - - Niven's Inverse of Clarke's Third Law 
> > -BEGIN PGP SIGNATURE- 
> > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) 
> > Comment: GPGTools - http://gpgtools.org 
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ 
> > 
> > iEYEARECAAYFAlSmCbQACgkQ8CjzPZyTUTTjYwCeJ1kdh3XFe3mOXsXHF1nGa2tn 
> > ehIAnjiX89HjsBPPHzgZCgcrkWbjrk0E 
> > =w6KA 
> > -END PGP SIGNATURE- 
  
--
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] any way to get local network details to flow through to the server?

[jack seth]

> Message: 1
> Date: Tue, 2 Jun 2015 23:43:39 +0200
> From: Gert Doering 
> Subject: Re: [Openvpn-users] any way to get local network details to
> flow through to the server?
> To: Jason Haar 
> Cc: "openvpn-users@lists.sourceforge.net"
> 
> Message-ID: <20150602214339.gc...@greenie.muc.de>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> On Wed, Jun 03, 2015 at 08:05:21AM +1200, Jason Haar wrote:
>> In this case using the openvpn tunnel as the default gw should have
>> solved the problem - but normal people can't figure that out - so I'd
>> like to solve it dynamically at the server end. However, to do that, the
>> server would need to know in advance the routing table of the client -
>> so that it could do something like "if 10.anything is local, then
>> disable split tunnel and push all traffic through openvpn; else do split
>> tunnel".
>
> I'm not exactly sure what options the client sends to the server in
> the "peer-info" handshake (IV_...), but I'm afraid that "routing data"
> is not part of it...
>
> What you could *try* is a magic option I just discovered recently :-) - push
> "redirect-private", and then push routes for 10.0.0.0/8 (and maybe a few
> /25s for the really important stuff, to override whatever 10.x netmask the
> hotel might use).
>
> --redirect-private is the bit of --redirect-gateway that figures out the
> local default gateway, and installs a host route "vpn server -> this gateway",
> so after that, you're fairly safe to redirect about anything...
>
> (As a side note, you're screwed in any case if the hotel gateway happens
> to use an ip address also used by one of your servers - but to fix *that*,
> you'd have to go down the "use NAT on the server tun" route...)
>
> gert


Can you further explain the "use NAT on the server tun"?  How would you solve 
the issue if the server has the same ip address as the hotel gateway?  Please 
post examples.

  
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How do I define vpn_gateway?

[jack seth]

I am trying to use the vpn_gateway variable in a route command but I keep 
getting this error in the client log 'OpenVPN ROUTE: vpn_gateway undefined'.   
How do I fix this?  Server running 2.3.6  Windows client on 2.3.4.
  --
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I define vpn_gateway?

[jack seth]

> From: debbie...@gmail.com
> To: bird_...@hotmail.com
> CC: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I define vpn_gateway?
> Date: Sat, 6 Jun 2015 15:25:08 +0100
> 
> Hi
> - Original Message - 
> From: "jack seth" 
> To: 
> Sent: Saturday, June 06, 2015 1:49 PM
> Subject: [Openvpn-users] How do I define vpn_gateway?
> 
> 
> > I am trying to use the vpn_gateway variable in a route command but I keep
> > getting this error in the client log 'OpenVPN ROUTE: vpn_gateway
> > undefined'.
> > How do I fix this?  Server running 2.3.6  Windows client on 2.3.4.
> 
> From the manual:
> vpn_gateway -- The remote VPN endpoint address (derived either
> from --route-gateway or the second parameter to --ifconfig when --dev tun is
> specified).
> 
> Also:
> * route-gateway is not auto pushed by --server in --topology net30
> * second parameter of --ifconfig is netmask in --topology subnet
> 
> So:
> * push "route-gateway ..."
> then the client can evaluate the vpn_gateway.
> 
> Regards

I'm using 'route-gateway dhcp'.   Can 'vpn_gateway' not be used with this?
  --
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I define vpn_gateway?

[jack seth]

> From: debbie...@gmail.com
> To: bird_...@hotmail.com
> CC: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I define vpn_gateway?
> Date: Sat, 6 Jun 2015 16:59:22 +0100
> 
> 
> - Original Message - 
> From: "jack seth" 
> To: 
> Cc: 
> Sent: Saturday, June 06, 2015 3:58 PM
> Subject: RE: [Openvpn-users] How do I define vpn_gateway?
> 
> 
> > I'm using 'route-gateway dhcp'.   Can 'vpn_gateway' not be used with this?
> 
> Testing on my setup appears to indicate that they cannot  be used together.
> But I did not test very thoroughly and you have not posted details of your
> setup.
> eg: TAP or TUN .. etc
> 
> From the manual:
> --route-gateway gw|'dhcp'
> Specify a default gateway gw for use with --route.
> If dhcp is specified as the parameter, the gateway address will be extracted
> from ** a DHCP negotiation ** with the OpenVPN server-side LAN.
> 
> This implies that it also requires --dev tap as ** a DHCP negotiation **
> will probably use broadcasts ..
> 
> Regards

Yes, it's tap.  It may be a timing thing.  
  --
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.10 released

[jack seth]

Message: 1
Date: Mon, 4 Jan 2016 16:48:04 +0200
From: Samuli Sepp?nen 
Subject: [Openvpn-users] OpenVPN 2.3.10 released
To: "openvpn users list (openvpn-users@lists.sourceforge.net)"
,
"openvpn-de...@lists.sourceforge.net"
,
openvpn-annou...@lists.sourceforge.net
Message-ID: <568a8624.3020...@openvpn.net>
Content-Type: text/plain; charset=iso-8859-15; format=flowed

The OpenVPN community project team is proud to release OpenVPN 2.3.10.
It can be downloaded from here:



This release fixes IPv6 on WIndows XP and warns users about expired
certificates. A few other small fixes and improvements are included. In
addition, PolarSSL 1.3 is now required for PolarSSL builds. The Windows
installers now bundle OpenVPN-GUI 10, which automatically requests
administrator privileges using UAC, instead of launching as a normal
user and then failing at route creation time. A full list of changes is
available here:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

--
Samuli Sepp?nen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Congrats on the latest release.  Any eta on a 2.4?

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Keys in Openvpn 2.4

[jack seth]

How large of elliptic curve keys and EC DH parameters can 2.4 handle?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keys in Openvpn 2.4

[jack seth]

From: openvpn-users-requ...@lists.sourceforge.net 

Sent: Saturday, November 5, 2016 7:08 AM
To: openvpn-users@lists.sourceforge.net
Subject: Openvpn-users Digest, Vol 126, Issue 3

Send Openvpn-users mailing list submissions to
openvpn-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/openvpn-users
or, via email, send a message with subject or body 'help' to
openvpn-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
openvpn-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvpn-users digest..."


Today's Topics:

   1. Keys in Openvpn 2.4 (jack seth)
   2. Re: Keys in Openvpn 2.4 (Steffan Karger)


--

Message: 1
Date: Sat, 5 Nov 2016 01:29:00 +
From: jack seth 
Subject: [Openvpn-users] Keys in Openvpn 2.4
To: "openvpn-users@lists.sourceforge.net"

Message-ID:



Content-Type: text/plain; charset="iso-8859-1"


How large of elliptic curve keys and EC DH parameters can 2.4 handle?


--

Message: 2
Date: Sat, 5 Nov 2016 09:15:13 +0100
From: Steffan Karger 
Subject: Re: [Openvpn-users] Keys in Openvpn 2.4
To: openvpn-users@lists.sourceforge.net
Message-ID: 
Content-Type: text/plain; charset=windows-1252

Hi,

On 05-11-16 02:29, jack seth wrote:
> How large of elliptic curve keys and EC DH parameters can 2.4 handle?

As large as the underlying crypto library version can.  P-521 shouldn't
be a problem.  General consensus (looking at e.g. IKE and TLS) seems to
be that 256/384 bits curves are good enough (e.g. curve25519, P-256 or
P-384).

(You might run in to issues if you are using other features that need to
comply, such as --pkcs11-* ('smart cards'), --management-external-key or
--cryptoapicert, but if it's just a key file you're trying to load that
shouldn't be a problem.)

-Steffan



--

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

--

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


End of Openvpn-users Digest, Vol 126, Issue 3
*
I would like to be able to generate keys that are at least equivalent to 
AES-256.  See the chart here 
http://crypto.stackexchange.com/questions/31439/how-do-i-get-the-equivalent-strength-of-an-ecc-key
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Underlying command for static key file

[jack seth]

I'm assuming that Openvpn is actually using Openssl to create the 2048-bit 
'ta.key' file (If that's not right please correct me).  If so, what are the 
openssl command/options used to create this file?

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Underlying command for static key file creation

[jack seth]

From: Gert Doering 
Sent: Tuesday, November 8, 2016 11:20 AM
To: jack seth
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Underlying command for static key file

Hi,

On Tue, Nov 08, 2016 at 05:09:32PM +, jack seth wrote:
> I'm assuming that Openvpn is actually using Openssl to create the 2048-bit 
> 'ta.key' file (If that's not right please correct me).  If so, what are the 
> openssl command/options used to create this file?

The openvpn man page suggests using "openvpn --genkey"

   --tls-auth file [direction]
  Add an additional layer of HMAC authentication on top of the TLS
  control channel to protect against DoS attacks.

  In  a  nutshell, --tls-auth enables a kind of "HMAC firewall" on
  OpenVPN's TCP/UDP port, where TLS control channel packets  bear-
  ing an incorrect HMAC signature can be dropped immediately with-
  out response.

  file (required) is a file in OpenVPN static key format which can
  be generated by --genkey

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Thanks for the response, but that is not what I mean.   I know that you create 
that file with the "openvpn --genkey" normally.  What I am wondering is if that 
action really calls 'openssl' and issues commands/options to that?  If that is 
true, what is the 'openssl' command for this?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Can you have failover with UDP?

[jack seth]

My client config file has more than one  
setup and I am wondering if there is a way to have the next connection 
be tried if the previous one fails to connect?

How does Openvpn know if the connection has failed if it is UDP?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Can you have failover with UDP?

[jack seth]

From: Gert Doering 
Sent: Friday, November 11, 2016 1:51 AM
To: jack seth
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Can you have  failover with UDP?

Hi,

On Thu, Nov 10, 2016 at 10:22:32PM +, jack seth wrote:
> My client config file has more than one  
> setup and I am wondering if there is a way to have the next connection
> be tried if the previous one fails to connect?

This is the normal way things happen :-)

> How does Openvpn know if the connection has failed if it is UDP?

No handshake in  seconds.

gert

--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

What is the default timeout value?
Is this the setting (server-poll-timeout) to change the value?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] What is the default failover timout?

[jack seth]

When you have multiple  configs how long after a failure to connect 
does the next config get tried?
Is  '--server-poll-timeout' the correct setting to change this value?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Persist-tun+resolv-retry+redirect-gateway = problem

[jack seth]

I think this is a problem for servers using DDNS.  If the tunnel goes down the 
client will try to first resolve the server's hostname but the all traffic 
(specifically DNS) is still routed to the tunnel which is down. :)  So you can 
never reconnect.  Is there a way to specify that the openvpn server address 
uses a specific DNS server while all other traffic gets sent to the VPN? 

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Persist-tun+resolv-retry+redirect-gateway = problem

[jack seth]

From: Gert Doering 
Sent: Thursday, November 24, 2016 3:21 PM
To: jack seth
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Persist-tun+resolv-retry+redirect-gateway = problem

Hi,

On Thu, Nov 24, 2016 at 04:47:22PM +, jack seth wrote:
> I think this is a problem for servers using DDNS.  If the tunnel goes down 
> the client will try to first resolve the server's hostname but the all 
> traffic (specifically DNS) is still routed to the tunnel which is down. :)  
> So you can never reconnect.  Is there a way to specify that the openvpn 
> server address uses a specific DNS server while all other traffic gets sent 
> to the VPN?

--redirect-gateway def1 bypass-dns

(this only works on windows, because our code does not know how to query the
currently-active DNS servers on other platforms)

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Thanks but won't this make all DNS requests go outside the VPN?  What about 
this?
dhcp-option DNS 192.168.25.1
dhcp-option DNS 8.8.8.8

Would this use the VPN (i.e. 192.168.25.1) but if it failed would it use 
8.8.8.8?

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking

[jack seth]

Date: Tue, 20 Dec 2016 20:03:59 +0100
From: Steffan Karger 

Hi,


Exactly.  To reliably bypass good DPI, it is not sufficient to hide that
traffic is (Open)VPN traffic, but instead you'll need to make it look
like allowed traffic.  Tunneling over stunnel (which is 'plain' TLS, so
looks very similar to HTTPS) does a decent job there.

But the advice here remains unchanged:  if you want to bypass DPI, use a
tool that is designed to do just that, such as obfsproxy.

-Steffan

How do you implement obfsproxy?
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How to create EC keys for version 2.4?

[jack seth]

Can someone point me to some documentation for creating EC keys?
Thanks!

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users