Hi,
On Fri, Apr 17, 2020 at 03:40:12AM +0100, tincanteksup wrote:
> Missing the point completely.
>
> *Why* does openvpn expect a decimal value for something which is clearly
> intended to be and is at source Hex.
It is a *number*. Whether a particular frontend presents it as "hex" is
a matte
Hi,
On Thu, Apr 16, 2020 at 10:41 PM tincanteksup wrote:
>
> Missing the point completely.
>
> *Why* does openvpn expect a decimal value for something which is clearly
> intended to be and is at source Hex.
What the the ideal format should be is arguable, but the "source" is
not in hex. Serial n
Missing the point completely.
*Why* does openvpn expect a decimal value for something which is clearly
intended to be and is at source Hex.
On 16/04/2020 20:25, Joe Patterson wrote:
My first thought is "I should be trivial to write a little script to
go through and link the decimal name to t
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
>
> If the optional dir flag is specified, enable a different mode where
> crl is a directory containing files named as revoked serial numbers
> (the files may be empty, the contents are never read). If a client
> requests a connection,
On Thu, 16 Apr 2020 15:25:38 -0400
Joe Patterson wrote:
> My first thought is "I should be trivial to write a little script to
> go through and link the decimal name to the hex name", and even
> though, intellectually, I know that the chance of a collision between
> hex and dec names in that larg
> > (My) users don't comprehend this. They don't grasp that it's just a
> > warning .
> >
> > They see this warning as error "rendering their current installation
> > faulty/non working" - while it's working perfectly.
>
> Yeah, it's a problem. And I'm about to add more such warnings now that
> ma
My first thought is "I should be trivial to write a little script to
go through and link the decimal name to the hex name", and even
though, intellectually, I know that the chance of a collision between
hex and dec names in that large a space would be infinitesimal, it
still manages to really bothe
Hi,
On 16/04/2020 19:52, richard lucassen wrote:
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
Yeah right:
cd /etc/openvpn/crl/tun0/
mv 0B 11
Now it works. The serial number must be decimal.
Which is even more 'fun' with randomised serial numbers, eg:
94:68:4a:17:db:99:a7:36
On Thu, 16 Apr 2020 14:29:38 -0400
Selva Nair wrote:
> > # touch /etc/openvpn/crl/0B
>
> IIRC, you have to use the decimal representation of the serial.
I just found out, I saw your post too late. That was it indeed.
Thnx!
R.
--
richard lucassen
http://contact.xaq.nl/
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
Yeah right:
cd /etc/openvpn/crl/tun0/
mv 0B 11
Now it works. The serial number must be decimal.
R.
--
richard lucassen
http://contact.xaq.nl/
___
Openvpn-users mailing list
Openvpn-users@
Hi,
>
> If the optional dir flag is specified, enable a different mode where
> crl is a directory containing files named as revoked serial numbers
> (the files may be empty, the contents are never read). If a client
> requests a connection, where the client certificate serial number
> (decimal s
On Thu, 16 Apr 2020 19:49:42 +0200
Gert Doering wrote:
> On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote:
> > If it cannot read the crl file, than that's a problem :) Check, if
> > all directory is world readable (not just the crl, but all
> > 'upstream' directories, like /etc, /etc/o
On Thu, 16 Apr 2020 19:34:21 +0200
Dajka Tamás wrote:
> Is selinux/apparmod enabled? That can prevent the openvpn process to
> read the file.
>
> I know you've check the files/dirs, but it's always a good idea to
> check it with the actual user accessing it; it's too easy to
> overlook/miss some
Hi,
On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote:
> If it cannot read the crl file, than that's a problem :) Check, if all
> directory is world readable (not just the crl, but all 'upstream'
> directories, like /etc, /etc/openvpn ... !)
--chroot in use? --chdir, and no absolute pa
Is selinux/apparmod enabled? That can prevent the openvpn process to read
the file.
I know you've check the files/dirs, but it's always a good idea to check it
with the actual user accessing it; it's too easy to overlook/miss something.
-Original Message-
From: richard lucassen [mailto:ma
On Thu, 16 Apr 2020 14:59:34 +0200
Antonio Quartulli wrote:
> > If u can't restart the server how can you test? Changing the server
> > side requires reboot.
>
> This is not the case for CRLs and CRL directories. The server will get
> the freshest data even without reboot.
Correct, but adding "
On Thu, 16 Apr 2020 13:38:39 +0200
Dajka Tamás wrote:
> Still does NOT work? You mean, you are able to connect?
Yep. And according to the man page the server should reject certificate
with serial 0B if a file exists in crl/0B (file can be empty)
> If u can't restart the server how can you test?
Hi,
On Thu, Apr 16, 2020 at 8:25 AM Ralf Hildebrandt
wrote:
>
> * Jonathan K. Bullard :
>
> > Just for the record, the best way to install configurations in
> > Tunnelblick is to drag the configuration(s) and drop them on the
> > Tunnelblick icon in the menu bar. The user can install "incomplete"
Hi,
On 16/04/2020 13:38, Dajka Tamás wrote:
> Still does NOT work? You mean, you are able to connect?
>
> If u can't restart the server how can you test? Changing the server side
> requires reboot.
This is not the case for CRLs and CRL directories. The server will get
the freshest data even with
Jonathan,
Yes I am aware of the proper approach, we don't espouse just double
clicking.
And I concur too, the functionality of Tunnelblick is great, I've used
it lot's over the years.
Colin
On 2020-04-16 8:24 a.m., Ralf Hildebrandt wrote:
* Jonathan K. Bullard :
Just for the record, the
* Jonathan K. Bullard :
> Just for the record, the best way to install configurations in
> Tunnelblick is to drag the configuration(s) and drop them on the
> Tunnelblick icon in the menu bar. The user can install "incomplete"
> .ovpn files, too, as long as the cert/key/etc. files the .ovpn files
>
I'll try to use a separate DHCP as Gert suggested and will see :)
-Original Message-
From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.de]
Sent: Thursday, April 16, 2020 1:59 PM
To: Dajka Tamás
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [ext] [Openvpn-users] Windows GUI +
Hi,
On Wed, Apr 15, 2020 at 10:19 AM Colin Ryan wrote:
>
> Folks,
>
> Per a previous email (and thanks for the help), I've been playing around
> with the 11 GUI.
>
>
> One thing that has come up is wondering if there is anyway to generate a
> situation where if a user is presented a complete (i.e
* Dajka Tamás :
> Yes (given he/she can access the proxy through the VPN - the defgw is pushed
> also)
>
> PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos
> needed - standard format.
Same as here; I don't think there's a way :/
Ralf Hildebrandt
Charité - Universi
Yes (given he/she can access the proxy through the VPN - the defgw is pushed
also)
PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos
needed - standard format.
Cheers,
Tom
-Original Message-
From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.d
Still does NOT work? You mean, you are able to connect?
If u can't restart the server how can you test? Changing the server side
requires reboot.
You might have missed something with the directory rights. Simply 'su' to
nobody with a valid shell and try to read the 0B file
-Original Message-
On Thu, 16 Apr 2020 13:00:53 +0200
richard lucassen wrote:
> On Thu, 16 Apr 2020 12:50:30 +0200
> richard lucassen wrote:
>
> When adding the option on the CLI I see that it reads the option:
>
> # openvpn --crl-verify /etc/openvpn/crl/tun0 dir \
> --config /etc/openvpn/server.conf | grep -i
On Thu, 16 Apr 2020 12:58:35 +0200
Dajka Tamás wrote:
> If it cannot read the crl file, than that's a problem :) Check, if all
> directory is world readable (not just the crl, but all 'upstream'
> directories, like /etc, /etc/openvpn ... !)
That is all ok. It is all 755 for dirs and 644 for file
On Thu, 16 Apr 2020 12:50:30 +0200
richard lucassen wrote:
When adding the option on the CLI I see that it reads the option:
# openvpn --crl-verify /etc/openvpn/crl/tun0 dir \
--config /etc/openvpn/server.conf | grep -i crl
Thu Apr 16 12:56:01 2020 us=442959 crl_file = '/etc/openvpn/crl/tun
If it cannot read the crl file, than that's a problem :) Check, if all
directory is world readable (not just the crl, but all 'upstream'
directories, like /etc, /etc/openvpn ... !)
-Original Message-
From: richard lucassen [mailto:mailingli...@lucassen.org]
Sent: Thursday, April 16, 2020
On Thu, 16 Apr 2020 12:30:48 +0200
Dajka Tamás wrote:
> why not simply using a CRL file and revoke the unneeded certificate?
Because it's a nice and simple option ;-)
> To debug the issue, I think we'll need some logs with 'verb 4' - at
> least from the server side.
Even with "verb 9" there is
Hi,
why not simply using a CRL file and revoke the unneeded certificate?
To debug the issue, I think we'll need some logs with 'verb 4' - at least
from the server side.
Cheers,
Tom
-Original Message-
From: richard lucassen [mailto:mailingli...@lucassen.org]
Sent: Thursday, Apr
Hello list,
Debian Buster, OpenVPN 2.4.0-6
In the man page there is an flag 'dir' to the option 'crl-verify':
If the optional dir flag is specified, enable a different mode where
crl is a directory containing files named as revoked serial numbers
(the files may be empty, the contents are never
* Colin Ryan :
> Folks,
>
> Per a previous email (and thanks for the help), I've been playing around
> with the 11 GUI.
>
>
> One thing that has come up is wondering if there is anyway to generate a
> situation where if a user is presented a complete (i.e. embedded certs)
> .ovpn config file is
* Dajka Tamás :
> Hi All,
>
>
>
> is there any way to push proxy config to clients with the Win Gui?
> PROXY_AUTO_CONFIG_URL does not seem implemented. Server is a bridge config,
> but openvpn server assigns the IP addresses. If I change that to a separate
> DHCP will it work as a DHCP option?
35 matches
Mail list logo
