ot;nobind", shouldn't openvpn have allocated the
next free port instead of trying to reuse 1194?
Finally, any ideas why openvpn doesn't cleanly exit all the time. I also
use openvpn client under Linux and it never shows these symptoms, so I'd
guess these are all win32-specific.
quot; set, openvpn
still explicitly binds to 1194. I always read the manpage as meaning
"nobind" meant "let the OS decide what port to use". In fact, I just
tried "lport 2" and that didn't work either! It still used 1194.
--
Cheers
Jason Haar
Information Secu
lport=1194 for udp and lport=>1023 for tcp
Jason
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
g a server problem. "nobind" only works in client mode
If you're using tun interfaces, you'll need to split your pool range
between the two instances.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Hi there
I think I've found bugs in openvpn (nobind doesn't work with UDP) and
the openvpnserv.exe for Windows (sometimes doesn't fully close down -
meaning you can't restart openvpn.exe), is there an official channel for
reporting bugs?
Thanks
--
Cheers
Jason Haar
On 02/03/2010 10:09 PM, Samuli Seppänen wrote:
> Hi Jason,
>
> You can file bugs to our SF.net bug tracker:
>
Thanks! Done it: 2945154 and 2945147
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprin
and when I
created the key and restarted openvpn, Win7 recategorized the interface
as "domain" - which is exactly right!
Shouldn't openvpn ensure it sets the same registry keys during install -
so that this always happens?
Thanks
Jason
On 02/25/2010 10:10 PM, Jason Haar wrote:
>
:39:30 2010 Cannot load certificate "SUBJ:client" from
Microsoft Certificate Store: error:C5066064:microsoft
cryptoapi:CryptAcquireCertificatePrivateKey:Invalid Signature.
Wed Mar 03 15:39:30 2010 Exiting
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ing/rate shaping/etc. Could it be simply overloaded? When
you're nailing 70Mbs through it, how does it look?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ot; profiles? :-)
In a similar vein, the following ticket is in the bug tracking system -
there seems to be a general problem with mixing TCP and UDP options (eg
mssfix, nobind, fragment)
http://sourceforge.net/tracker/index.php?func=detail&aid=2945147&group_id=48978&atid=454720
--
Ch
ould work on every network in the world - with
only some high-security exceptions. I think that's a goal worth reaching
for :-)
BTW, from what I've read, Microsoft's DirectAccess does exactly this
(ipv6Direct-else-udpToredo-else-ipv6overTCP-else-ipv6overTCPoverProxy)...
Jason
--
Cheer
almost any network imaginable -
without user intervention.
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
websites would certainly be a good thing ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
e could be finer grained in our
reactions without resorting to such methods.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
m I see is that we make extensive use of "--up"/etc scripts
and a user can sometimes do several "up->down->up" in a row - which
leads to "flapping" checks. If the server was told the client was
leaving, this would reduce these issues).
--
Cheers
Jason Haar
I
npage, I'm
surprised I've missed it :-}
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
mments about why I think a "pre" script option would be a good idea.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
oned" CAs
I think you'll be out of luck making openvpn run through such an environment
> Also, doesn't this make openvpn different from other SSL VPNs which
> advertise the fact that they are truly SSL?
>
Yes it does
--
Cheers
Jason Haar
Information Security Manager, Tr
some other encrypted "skype protocol".
i.e. if an organization has a policied BlueCoat transparent HTTPS proxy,
and general egress filtering, does Skype work?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprin
t, and
TCP-via-proxy if it has to. Basically, you'd be guaranteed a working VPN
session on any network that you're meant to be able to do such things on
(with one config).
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
that? Obviously there are other
ways for clients to work around the consequences of "--pull" - but a
start is a start
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ally if it's crashed.
Good point. I reported this in Mar last year ("bugs with
openvpnserv.exe") and it seems it was acknowledged as an issue. Is that
fixed now? Would be great to see openvpn.exe restarting on error -
without having to resort to srvany or nssm ;-)
Thanks
--
Che
Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
IP
- which makes asset management *much* easier and means you get
marvellous side-effects like I can be SSH-ed into a work machine at
home, suspend my laptop, go to another building and get an completely
different Internet address, and yet seconds later have openvpn
auto-reconnect to work and find
sabling "pull"
and/or using "route-noexec/route-nopull", etc). However, the server
can't tell the client to become a router (therefore opening up the
client's internal network to be accessible from the server), nor can it
force the client to create local accounts, inst
er, I'd be saying " the Internet is fine - it's the vpn
that's broken". I really doubt any vpn software could better compensate
for that corner case - and I think that fits the description of "lossy
network" well.
--
Cheers
Jason Haar
Corporate Information S
optional|required)" - with the
default still being "required" of course - sort of like Apache's
SSLVerifyClient
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
ut the few
people like me who use it will have to move to the new format ;-)
The migration plan Steffan suggested sounds perfect
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EB
Aug 4 16:18 nf_nat_sip.ko.xz
-rw-r--r-- 1 root root 1764 Aug 4 16:18 nf_nat_tftp.ko.xz
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> not sure if there are other ways to achieve that - but this is what has
> been told to me...
I can confirm that is precisely the way we use openvpn. We use it as an
"always on vpn" and so it needs to be running via a service at boot
time. nssm works well for us in that regard
--
Chee
27;t have the
server components for parsing environment vars pushed by the client
Is there any reason that "feature" still isn't present? I mean - it's a
bug - there's no point in having the client support a feature that the
server can't even interpret?
--
Cheers
ot me sold
- git it is! :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
t <2M
difference? It's not worth thinking about.
Ditching WinXP is definitely the right thing to do. People shouldn't be
running security software on dead OSes. They will do it poorly. Just sayin'
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone
such a realtime application is very latency
dependent. People who vpn across continents back to their "home" vpn
router complain that VoIP is awful, whereas those that vpn'ed into the
corporate site down the road from their hotel, they get much better
realtime performance. And if th
t is risky (IMHO). In general
icmp-ping works - but I've been involved with companies that disabled it
- so there will be others
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
I think about this needing to be an "openvpn ping" type
solution: it is irrelevant if the server is up or even if openvpn tcp
ports appear to be open, it's only evidence that openvpn is working that
should be taken as evidence that openvpn is - well - working :-)
--
Cheers
Jason H
ppily running on that for some time now - but just tried out
2.3.6 - and discovered that support still wasn't in there!
Was it dropped for some reason, or was/is 2.3_git not a true
representation of what ended up in the official 2.3 series? The missing
code was in src/openvpn/misc.c
Thanks
--
Che
iable as openvpn as a Unix service
Jason
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
because of my desire for the peer-id data, but I'd rather be vanilla
to be honest :-)
Thanks again!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C06
39 matches
Mail list logo
