Faidon Liambotis wrote:
Another reason to do it is because it's the obvious thing to do:
-not-required doesn't mean -do-not-check/-ignored, it means "I will not
fail if you don't provide it but I will fail if provide one that I can't
verify", IMHO.
Checking the certificate only if present and t
Alexander Littell wrote:
How difficult would it be to program the openvpn-status.log to show
usernames instead of common names? Or maybe both. Any thoughts on how to
do this?
I could be wrong, but I would guess that most OpenVPN administrators are
using username/password pairs instead of ce
Dave wrote:
It's not documented as such explicitly, but I'm assuming it's true that
client-to-client is not needed when the 'subnet topology' option is used.
True? Am I missing a subtlety?
Just as you still need client-to-client if you want clients to
communicate with each other *without going
Dong Thao Le Dinh wrote:
Hi all,
I'm doing a research about OpenVPN activities through its source code. I
do a lot of Googling but still can't find any document about OpenVPN
source code. How it organizes, how it work? For example, what are the
functions it use for creating a tunnel? Can you g
Mike Martin wrote:
It would need to last indefinitely, and be managed by a remote client,
using Web Services, with minimal human intervention
A tool such as runit, with some wrappers, can provide the most immediate
layer of management -- at least with regard to ensuring that the VPN
stays up
I'm not an OpenVPN developer per se -- other than a few trivial patches
-- but I should be able to comment.
First -- the requirements for what you want a VPN to do in a grid
environment are something which need to be specified. Since OpenVPN is
limited to either a 2-endpoint peer-to-peer model
Florian Weimer wrote:
IPv6 is no real help because it's unlikely that we'll see that central
ULA registry in the forseeable future.
IPv6 is plenty of help; see RFC 4193. Basically, every site that wants
an unroutable IP range randomly selects a 41-bit global ID to use as a
prefix for their ra
Personally, I think that adding IPv6 support (with its massive space for
private networks) is a better long-term fix for this issue. Getting yet
another private allocation (1) is questionable in terms of its
feasibility, and (2) doesn't do any good for folks who (for instance)
need to be attach
Denis dos Santos Silva |̲̅<̲̅Θ̲̅>̲̅| wrote:
* motd
--- like message of day, perfomed by client (in case, openvpn gui)
* message based on common name
--- a custom message, like ''last connected'' or a custom message
ccd or push-based
Both of these can already be done pushing the "echo" directi
richard lucassen wrote:
Is there a (simple) way to let OpenVPN use the same source address to
which the connection was set up like in the following example?
- set up tunnel x.x.x.x to dst address 1.1.1.2
return src address 1.1.1.2 to x.x.x.x
- set up tunnel x.x.x.x to dst address 2.2.2.2
ret
Because these are questions about usage with OpenVPN, rather than about
working on its code, please redirect this message to the openvpn-users
list rather than openvpn-devel. (Even messages concerning issues which
may be bugs belong on openvpn-users, unless you're a programmer offering
a patch
Denis dos Santos Silva wrote:
some aspects keys of openvpn, are undocumented.
scripts, per example.
No. Scripts are well-documented under the "SCRIPTING AND ENVIRONMENTAL
VARIABLES" section of the man page.
A specific format or language for writing scripts is not provided,
because OpenVPN d
Tony wrote:
On Thu, 18 May 2006 23:49:16 +0400, Charles Duffy
wrote:
Why not just have separate config files for each possible
configuration, rather than stuffing several configurations in one file?
I did not know if it is possible on the client.
Well, there's nothing about OpenVPN i
Why not just have separate config files for each possible configuration,
rather than stuffing several configurations in one file?
The configurations could be set to exit on failure, and a wrapper script
(supervised by runit or a similar tool) could be responsible for
rotating between them.
Tony wrote:
Under "some problems" I mean that the neighborhood is un-browsable if
NetBEUI is the only protocol used for workgrouping in windows.
It takes to specify the exact share's name, like "\\server\printer", to
find it. No discovery work at all.
That's not a tap-win32 bug; it's normal
James Yonan wrote:
Alberto,
By default, the OpenVPN client doesn't accept pushed options from the
server unless "pull" or "client" is specified. The idea is that once
you agree to accept configuration info from the server, you are trusting
(to a certain extent) in its integrity, so there are
Iftikhar Qureshi wrote:
I was wondering what does it take to write an OpenVPN client/driver for
PocketPC.
There's already someone working on this. See the thread titled
"WinCE/PPC; worthwhile to suport? possible?" on OpenVPN-users.
Collaboration might not hurt -- I understand that he's made
Szüts Péter wrote:
I see I have to be more specific, otherwise you underestimate me. :))
Evidently so; my apologies.
In any event, though, you should be posting to openvpn-users rather than
openvpn-devel. The former has a superset of the readers of the latter,
and your message will be more t
OpenVPN-devel is intended for those who are actively involved in working
on OpenVPN's source code. Your issue is more appropriate for
OpenVPN-users, as it discusses usage rather than development of OpenVPN.
That said -- try disabling the tap-win32 adapter. If you still see the
issue, you'll ha
Feel free to ignore the below rant. Revision control is (or at least was
for quite some time) one of my pet topics, and I occasionally feel
compelled to bore people at parties (or on mailing lists) with a
discussion of the subject. I certainly don't mean to compell anyone to
switch RCSs a *seco
Farkas Levente wrote:
> i always like to know my vpn enpoint has a static ip address so if i'd
> like to access joe's vpn i can simply use joe.vpn.company.com name.
This doesn't require a static address. I've posted a script to OpenVPN-users
for dynamically updating a DNS server when called by th
Just because OpenSSL is linked with zlib doesn't mean it's going to
actually use it for anything -- and to my knowledge, it doesn't.
On Sat, 03 Sep 2005 11:21:27 -0600, James Yonan wrote:
> The big question in my mind is whether this possibly small increase in
> performance will justify the loss of portability, and some level
> of stability and security.
Further, I'd think one who wanted to engage in such a tradeoff could us
This question should be posted to the openvpn-users list. If you were
asking how to change the code to support HPUX, for instance, that would be
appropriate for -devel; usage issues (as this is) are not.
(Hint: Read the error message and do what it says).
On Wed, 08 Jun 2005 00:53:33 +0200, Ralf Ebert wrote:
> OpenVPN offers the possibility to push "Windows-specific network settings"
> from the server to the client. Pushing a DNS server to the client doesn't
> seem to be Windows specific and would be quite a nice feature for other
> operating syste
On Thu, 26 May 2005 10:35:03 -0400, Zhenxiao Liu wrote:
> VPN client on Linux C uses tap2. But tap2 cannot get a IP that
> Linux A assignes. But if I use a windows client instead of Linux C, the
> tap device will get a IP address.
This belongs on openvpn-users, not openvpn-devel.
No, it's not a bug; your routing is broken. Please repost to
openvpn-users, and avoid posting initially to openvpn-devel unless your
question came up in the course of writing or debugging code for OpenVPN or
preparing to do so.
BTW, it's a bit late now, but this thread really belongs on openvpn-users
rather than openvpn-devel.
Alex Ongena wrote:
no, I'am not aware of such an option, nor do I find this
option/parameter in the manual page.
Because it's not there, because its behaviour is going to change in the
future. Search for it in the mailing list archives.
On Mon, 02 May 2005 10:31:54 +0200, Alex Ongena wrote:
> It's a proper shutdown on client side, so the client can inform
> the server. The server should call IMHO 'client-disconnect' and
> afterwards a 'client-connect', regardless if some timeouts are
> expired or not.
Do you have the "explicit-e
On Sat, 16 Apr 2005 01:25:46 -0700, Tomas Nouza wrote:
> After almost a year using OpenVPN, I found there are a lot of protocols
> sending big amount of small packets instead of smaller amount of bigger
> packets (e.g. skype, samba/netbios, and even tcp acks ...). And OpenVPN
> encapsulates each p
I'm trying to put together a patch to implement my desired behaviour wrt
resolv-retry and multiple remote hosts.
So far, I've made the following changes:
Setting the default resolv-retry count:
* Create a new constant, RESOLV_RETRY_UNSET
* Initialize resolve_retry_seconds to RESOLV_RE
On Fri, 01 Apr 2005 17:37:12 +0200, Rolf Fokkens wrote:
> You may be right, but I have the impression it may be a bug, which is
> more a developer issue.
Generally speaking, bugs themselves are user issues; code issues
encountered while fixing bugs or adding features are developer issues.
This r
Here's another idea:
Ditch the Palm, and get a Zaurus. OpenVPN should run there with no changes
whatsoever.
On Tue, 01 Mar 2005 09:29:18 +0100, Gerd Mueller wrote:
> hmm, I don't think it's possible to port the source to the palm but I
> think maybe the functionality. What do you thing? We do not need all the
> features openvpn has ported to the palm, or do we?
Gerd,
Unless there have been major chang
On Thu, 10 Feb 2005 11:17:38 +0530, Prem Kumar J wrote:
> Yes I gave duplicate-cn option too in my conf file. I have attached both
> server and client conf file in my mail. I get the reset problem only when
> i use TAP whereas TUN I dont have any problem with.
Please repost to openvpn-users; open
On Wed, 09 Feb 2005 17:26:14 -0500, Leonard Isham wrote:
> You need to allow duplicate certificates.
...or to create unique client certificates. There's a lot to be said for
knowing who the connected clients are (in the logs, status files, etc) and
being able to individually revoke them; IMHO, su
On Thu, 2005-02-03 at 13:25 -0700, James Yonan wrote:
> Right, but I think he's asking for a challenge/response mechanism, which
> doesn't yet exist.
Erp -- my bad. I was thinking of a different one-time password scheme,
and didn't read his message fully. Apologies to all.
There's been much discussion of mesh networking w/ OpenVPN before; check
the mailing list archives.
In the meantime, as long as it's a fairly small number of endpoints (3, as
in the case you mention, should be no trouble at all), you can just
simulate it w/ extra tunnels and an appropriate routing
On Thu, 03 Feb 2005 15:28:29 +0100, Patrick Steiner wrote:
> Is it possible to use OpenVPN with OPIE (One Time Passwords in
> Everything) What i want is to connect from a windows client to a linux
> server. But for OPIE i need a interactive password authentication. this
> means: the server send pa
On Wed, 22 Dec 2004 11:00:09 +0100, Alberto Gonzalez Iniesta wrote:
> Recent updates of openvpn appear to have changed the handling of
> whitespace in tls certificate names.
...
> Now it needs '_' not '.' for spaces:
My guess is that this is a consequence of some string-handling changes
that wer
On Tue, 21 Dec 2004 21:09:21 +0100, Tor Håkon Gjerde wrote:
> It doesn't sound that hard to make that patch. If someone would be so kind
> and send me one, I would be very grateful.
Presuming that you aren't a coder yourself -- it typically doesn't work
that way. Generally speaking, folks in the
On Mon, 20 Dec 2004 11:23:56 +0200, Doncho N. Gunchev wrote:
> How from userspace you are going to access tap/tun device and insert
> IP/Ethernet packets?
He's not going to insert IP or ethernet packets at all -- he's only doing
client-to-client relaying, and so just using regular sockets wil
On Wed, 15 Dec 2004 12:54:42 +0800, sam wun wrote:
> Is there any perl version of OpenVPN client?
No.
Why would you want something slower and more resource-intensive to use in
a "stripped-down" environment?
You can compile builds of the regular OpenVPN source tree with unnecessary
features left
James,
I notice that the management interface terminates its lines \0d \0a \00.
Is the null termination intentional? If so, would you mind documenting it?
It caused a few subtle issues until I figured out what was going on, so I
wouldn't exactly mind if it went away.
(I'm working on a CLR-based
James has stated that he intends OpenVPN to support no features which
would have it masquerade as another protocol. AIUI, implementing GET or
POST methods would be effectively doing just that.
You could presumably just run OpenVPN through httptunnel without making
any changes to OpenVPN's source a
The below patch to the My Certificate Wizard makefile attempts to
determine whether a cross-compiler is available, and uses it if
possible. I'd like to see it applied, such that both folks on win32 and
*nix can use the same makefile w/o needing to twiddle it after checkout.
I haven't tested it on
Vlada,
In updating my local Certificate Wizard fork to be based off 0.3b, I
observed an issue introduced during your cleanup of my CopyOneFile
function.
My original code:
snprintf(buffer, MAXLINELEN, "Unable to copy \"%s\" to \"%s\" - error %d:
%%s", source, target, errorCode);
DisplayEr
On Wed, 10 Nov 2004 01:03:35 +0100, Stefan `Sec` Zehl wrote:
> Can the server support listening on two ports at the same time? This
> would make migration much easier.
It should be straightforward enough to have your firewall redirect
incoming connections from the old port to the new.
Instead of adding /usr/lib/liblzo.a, you should *replace* the -llzo with
it. Also, according to the error (the other two messages were warnings),
you need access to the dynamic linker (-ldl or /usr/lib/libdl.a on my
system) so the OpenSSL libraries can access getservbyname() at runtime.
On Wed, 20 Oct 2004 14:02:13 +, Dirk Tronienne wrote:
> How has the Makefile (...what else?) to be modified for LZO? Is "LDADD =
> -static -lssl -lcrypto -lzo" correct?
If you're using static libfoo, etc. then you don't use "-lfoo"; instead
you add "/path/to/libfoo.a" to the link command.
The attached makes EasyRSA commands source the vars file themselves, if
they can find it.
diff -ru3 openvpn-2.0_beta11/easy-rsa/build-ca easy-rsa/build-ca
--- openvpn-2.0_beta11/easy-rsa/build-ca Wed May 8 02:00:30 2002
+++ easy-rsa/build-ca Thu Oct 14 14:52:36 2004
@@ -4,6 +4,10 @@
# Build a roo
On Thu, 2004-10-14 at 12:59 -0600, James Yonan wrote:
> On Thu, 14 Oct 2004, Charles Duffy wrote:
> > I'm using OpenVPN under a process supervision framework that (optionally)
> > adds its own timestamps in the form -MM-DD_HH:MM:SS.x to the
> > beginning of each
53 matches
Mail list logo
