Re: [Openvpn-users] OpenVPN and CWE-316?

On Wed, Aug 14, 2024 at 2:52 AM Gert Doering wrote: > Hi, > > On Tue, Aug 13, 2024 at 08:14:23PM -0400, Selva Nair wrote: > > Nonetheless, on Windows, we could easily add CryptProtectMemory() with > > SAME_PROCESS access for good measure, especially for those who cannot us

Re: [Openvpn-users] OpenVPN and CWE-316?

On Tue, Aug 13, 2024 at 7:02 PM David W Graham wrote: > CryptProtectMemory function (dpapi.h) > > "The CryptProtectMemory function encrypts > memory > to prevent others from viewing sensitive information in your process. For > exa

Re: [Openvpn-users] Where does openvpn GUI (on Windows) store the user's password?

Hi On Thu, Jul 18, 2024 at 8:40 AM Ralf Hildebrandt via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Where does openvpn GUI (on Windows) store the user's password, if the > user chooses to store the credentials? > The password is encrypted using CryptProtectData() and the blob s

Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN

On Sat, May 18, 2024 at 12:00 PM Bo Berglund wrote: > On Sat, 18 May 2024 11:22:37 +0200, Gert Doering > wrote: > > >Since you do not want to hear that, we won't tell you that 2.4.0 is > >8 years old, and a zillion improvements went into what is now 2.6.10, > > Just curious: > I am running openv

Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN

> > > > This node where the logs were from (server): > OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] > [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 > > Other (client) > OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] > [EPOLL] [PKCS11] [MH/

Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN

Hi, > Fri May 17 13:23:15 2024 us=936860 SIGUSR1[soft,tls-error] received, process restarting > Fri May 17 13:23:15 2024 us=937343 Restart pause, 300 second(s) If this is the tls-server side of the p2p connection, this is weird. What version of OpenVPN is this? We fixed the backoff logic in 2.5.3

Re: [Openvpn-users] Limit the number of users based on the key

> > 2- The Active Directory server is located inside the company, and if users > want to connect to the OpenVPN server from outside the company, then how is > authentication done? > VPN authentication is done by your OpenVPN server. As long as the server has access to the AD, it does not matter wh

Re: [Openvpn-users] Migrating to new CA

Hi, > think I am getting closer with the "one step" process with an > intermediary cert. I am able to start up the server with both the new CA > signed server cert and the intermediary as outlined in "Step 3" above. > However, its like the server is not sending two server certs to the > connectin

Re: [Openvpn-users] Migrating to new CA

> > Thanks Selva for the link! Two rounds will be a bit laborious as there > are many endpoints. If I have to go for option A (Stacked CAs on all > clients, stacked CAs on the server then update the server), is there a > downside with leaving an expired CA cert on all the clients ? Or can they >

Re: [Openvpn-users] Migrating to new CA

On Mon, Oct 2, 2023 at 3:00 PM mike tancsa wrote: > I am in a position where I want to start migrating users away from my > old CA which will expire in the medium term future to a new CA. I have > many endpoint and cant just "OK, everyone download a new files now." > So I am looking at the step

Re: [Openvpn-users] Internal DNS server & Windows 11 behaviour

Hi Bruno, > Another reason which incited me to continue using the "Connect" client > was the fact that for rather old people not very accustomed to VPNs and > the like (my "customers" are mostly retired people in their sixties or > seventies), having a big window open, with a clear feedback showi

Re: [Openvpn-users] Internal DNS server & Windows 11 behaviour

Hi, > Hi Gert, many thanks, everything's fine, the "block-outside-dns" option > works perfectly, but we'll have to use OpenVPN GUI only, as OpenVPN > Connect rejects this as an unknown option. Not a big deal, at least we > have a working solution. > I'm just being curious, is there any reason wh

Re: [Openvpn-users] Is it possible to view the running OpenVPN configuration?

On Sat, Jul 22, 2023 at 3:20 AM Leroy Tennison via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > I have a situation where the conf file was modified by someone else but no > backup was made (I know, bad practice, I don't have control over that) but > ps seems to indicate that OpenV

Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad

Hi, > I’m willingly testing the new GHA build and let you know the result as soon as possible. The link I sent was for the zip file for x64 build -- the following may be more transparent to show the branch it corresponds to. https://github.com/selvanair/openvpn/actions/runs/4384798323#artifacts

Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad

Hello, On Thu, Mar 9, 2023 at 4:01 AM openvpn wrote: > Hi, I’m posting the follow question here as I was redirect to this > mailing list for support by OpenVPN forum. > > > > > https://forums.openvpn.net/viewtopic.php?p=110748&hilit=error+0A7B#p110748 > Thanks for your report. I think we i

Re: [Openvpn-users] OpenVPN 2.6 cryptoapicert ISSUER not viable

Hi, On Sat, Mar 4, 2023 at 10:53 AM wrote: > > Am I wrong in assuming ISSUER: is a search parameter under > cryptoapicert? > > I've tried it in a lab and receive the message *"unsupported certificate > specification "* > This feature was added after the 2.6.0 release. It will be in 2.6.1 relea

Re: [Openvpn-users] OpenVPN-GUI 11.36.0: There might be a bug

On Thu, Feb 9, 2023 at 4:54 PM Stella Ashburne wrote: > Hi, > > I have three config directories/folders, each from a different VPN > provider. They are all in C:\Program Files\OpenVPN > > Let's call the three config folders config-1, config-2 and config-3 > > The default config folder is simply c

Re: [Openvpn-users] Correct way to handle routing when on home network?

Hello, On Wed, Sep 28, 2022 at 1:10 PM Sebastian Arcus wrote: > > On 27/09/2022 21:09, tincantech wrote: > Some updates from today's testing: > > Test case 1 > > Topology: subnet > Adapter: WinTUN > Netbios over TCP/IP: disabled or enabled > Result: 300kbs (for both states of NetBIOS over TCP/IP

Re: [Openvpn-users] Correct way to handle routing when on home network?

On Fri, Sep 23, 2022 at 5:07 PM Sebastian Arcus wrote: > On 23/09/2022 14:48, Selva Nair wrote: > > Having said that, I took another look at the routing table on the > Win10 > > client and noticed something odd. The only /32 routes I could find > are > &

Re: [Openvpn-users] Correct way to handle routing when on home network?

> > Having said that, I took another look at the routing table on the Win10 > client and noticed something odd. The only /32 routes I could find are >192.168.112.236 255.255.255.255 On-link 192.168.112.236281 >192.168.112.255 255.255.255.255 On-link 192.168.112.236

Re: [Openvpn-users] auth-token behaviour change in v2.5.0

Hi, On Sat, Jul 2, 2022 at 6:20 PM Connor Edwards via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Right, I think I'm getting somewhere with this now. It's not the OpenVPN > server version, it seems to be something to do with the management socket > options. > > I mentioned that

Re: [Openvpn-users] Problem with service on windows server

Hi, If you are referring to running at boot using the so-called automatic service, the service runs as local system and spawns openvpn.exe with elevated privileges. If using the GUI, the "right" way is to run the GUI without elevation, let the interactive service start openvpn.exe as user (not el

Re: [Openvpn-users] Problem with service on windows server

Hi, > the \\config-auto folder is only created if the 'openVPN Service' is > selected *manually* during installation. > We need to install the automatic service without manual intervention. Is this also the behaviour on a fresh install instead of an update? The logic for installing the service w

Re: [Openvpn-users] Problem with service on windows server

Hi, Check whether openvpnservice is installed by running the following from a command line sc query OpenVPNService It will show whether the service exists and its current state. If installed but nor running open services and change the startup to automatic and start. If not installed, you may h

Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash

On Thu, Mar 10, 2022 at 6:14 AM Jakob Curdes wrote: > Hello all, > > we are trying to implement 2FA for several existing Firebox SSL VPNs > (which essentially uses OpenVPN on server and client side). The remote > users all use the Windows OpenVPN client. This works perfectly without 2FA, > and it

Re: [Openvpn-users] LAN-LAN connection via ASUS Router OpenVPN?

Hi On Fri, Jan 14, 2022 at 10:36 AM Bo Berglund wrote: > > I have two ASUS routers, RT-AC68U and RT-AC86U. > One is sitting at home (RT-AC86U) on a fiber connection and the other will > soon > be placed at my summer home where we have just gotten a fiber installed. > > Now I would like to hook t

Re: [Openvpn-users] Kill OpenVPN clients from server so that they do not restart automatically

Hi, On Thu, Dec 30, 2021 at 7:14 AM Paul Pooker wrote: > > Hello, > > I was wondering whether anyone has found a way to kill clients in such a > manner that they are prevented from reconnecting to the server automatically, > with either the client being re-prompted for their passphrase to unloc

Re: [Openvpn-users] Current openvpn(related) CVEs

On Tue, Nov 23, 2021 at 11:13 AM Selva Nair wrote: > > > On Tue, Nov 23, 2021 at 8:51 AM Ralf Hildebrandt < > ralf.hildebra...@charite.de> wrote: > >> Yeah, it's in german, but anyway: >> >> https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-

Re: [Openvpn-users] Current openvpn(related) CVEs

On Tue, Nov 23, 2021 at 8:51 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > Yeah, it's in german, but anyway: > > https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-Software-6274101.html > > "An attacker can take leverage on this architecture and send the > config command fro

Re: [Openvpn-users] push-reset / override defaults in ccd files ?

On Tue, Nov 16, 2021 at 3:16 PM mike tancsa wrote: > Hi all, > > I have a number of vpn endpoints where I push a set of routes > through the server's config. I now need to make an exception for one > such client. As its in the field, I have no easy way of changing the > remote config. Is t

Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server

On Mon, Nov 15, 2021 at 1:42 PM Rui Santos wrote: > 0 > > On 15/11/21 17:06, Jan Just Keijser wrote: > > Hi Rui, > > > > > Hello Jan! Thanks for getting back to me :) > > > this is indeed what you use the management interface for. Read up at e.g. > > https://openvpn.net/community-resources/manag

Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server

Hi, > > client-kill CID > > > > from the management interface of the server. Here CID is the client-id > > of the client which could be obtained from status output. This command > > by default causes the client to RESTART. It takes an optional argument > > if you want to, say, HALT the client ins

Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server

On Mon, Nov 15, 2021 at 12:08 PM Jan Just Keijser wrote: > Hi Rui, > > On 15/11/21 17:32, Rui Santos wrote: > > Hello everyone, > > > > I'm trying to design a setup where I define 2 servers for a particular > > client to connect to, basically 2 remote directives within the same > > client config

Re: [Openvpn-users] PKCS#11: Cannot get certificate object, PKCS#11: Unable get evp object

On Thu, Oct 14, 2021 at 4:49 AM Jakub Niezabitowski wrote: > Hello! > > Recently I have been working on authenticating users using TPM2. I am > using tpm2-pkcs11 project. > > Sadly I can't get it to work with openvpn. I have tried changing format of > pkcs11-id as suggested in different threads b

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

On Wed, Sep 22, 2021 at 4:35 PM Gert Doering wrote: > Hi, > > On Wed, Sep 22, 2021 at 03:45:26PM -0400, Selva Nair wrote: > > Is it worth the trouble? Isn't this use case arising from wanting to use > > the GUI for something that it's not? > > Yeah, maybe it

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

Hi, On Wed, Sep 22, 2021 at 12:55 PM Gert Doering wrote: > Hi, > > On Wed, Sep 22, 2021 at 06:22:15PM +0200, Bo Berglund wrote: > > - send a silent_connection 1 command > > - Wait a while for the command to be executed > > - then send the actual connection command > > - Wait until we have a conn

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

On Wed, Sep 22, 2021 at 9:18 AM Bo Berglund wrote: > On Tue, 21 Sep 2021 10:37:10 -0400, Selva Nair > wrote: > > >> >> >We have some support for sending commands to the GUI to > >> >> >connect, disconnect etc.. See > >> >> > >

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

Hi On Tue, Sep 21, 2021 at 8:42 AM Bo Berglund wrote: > On Fri, 18 Jun 2021 11:15:00 -0400, Selva Nair > wrote: > > >Hi, > > > >On Fri, Jun 18, 2021 at 3:36 AM Bo Berglund > wrote: > > > >> On Sat, 12 Jun 2021 14:01:51 -0400, Selva Nair > >

Re: [Openvpn-users] [Openvpn-devel] Adding RSA-PSS support in pkcs11-helper

stribution. > > I can now get TLS1.3 working using the pkcs11 interface. > > ---Mike > > On 5/2/2021 7:13 PM, Selva Nair wrote: > > Hi, > > > > Currently RSA-PSS signatures are handled in pkcs11-helper by asking > > the token to do raw RSA signature

Re: [Openvpn-users] [ext] Re: CA migration?

Hi On Thu, Jul 22, 2021 at 9:10 PM Joe Patterson wrote: > Or, make a new ca.crt file with both the old and new ca certs, no > cross-signing required. Deploy to server, then to clients, so that > both server and clients trust both CA's. Then update the client certs > one by one to the new CA. Th

Re: [Openvpn-users] [ext] Re: CA migration?

Hi, On Thu, Jul 22, 2021 at 3:40 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > * Bo Berglund : > > On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt > > wrote: > > > > >But how do I do this? Can I make openvpn accept client certificates > > >from two CAs (the old and the new one

Re: [Openvpn-users] OpenVPN 2fa user authentication

Hi On Mon, Jul 5, 2021 at 11:58 AM David Mehler wrote: > Hello, > > Thank you for your reply. I do not have a plugin-auth-pam I've run a > find for it.Where would this be at, this would be perfect, espeecially > if I'm understanding your response right each client certificate would > then be bou

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

Hi, On Fri, Jun 18, 2021 at 3:36 AM Bo Berglund wrote: > On Sat, 12 Jun 2021 14:01:51 -0400, Selva Nair > wrote: > > >> I wonder if there is some way (on Windows) to start the tunnel > connection > >> from > >> the special comm program and then close it

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

On Sat, Jun 12, 2021 at 6:28 PM Bo Berglund wrote: > On Sat, 12 Jun 2021 22:05:51 +0200, Bo Berglund > wrote: > > >>We have some support for sending commands to the GUI to > >>connect, disconnect etc.. See > >> > >> > https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-

Re: [Openvpn-users] On-demand OVPN connection from Windows 10?

Hi On Sat, Jun 12, 2021 at 1:53 PM Bo Berglund wrote: > I am using the OpenVPN Gui application on my Windows 10 laptop to connect > to a > variety of locations where I have put OpenVPN servers. > This has always until now been a matter of establishing a connection prior > to > doing something on

Re: [Openvpn-users] Client-to-client setup fails mysteriously... (1/1)

Hi, You can share large logs using some service like pastebin in pure text format. Compressed logs are hard to look through. As per the logs the server gets the initial TLS packet from the second client, but hears nothing after that. The client gets nothing back from the server. So something is b

Re: [Openvpn-users] Client-to-client setup fails mysteriously...

Hi, You have to post the full client and server logs -- we need to see the whole server log showing one connection succeeding and the subsequent one failing. And the corresponding (i.e matching) client logs. I want to see what routes are being set up, which port and IP connections are coming from

Re: [Openvpn-users] Client-to-client setup fails mysteriously...

On Fri, Jun 4, 2021 at 3:34 PM Bo Berglund wrote: > > On Fri, 04 Jun 2021 20:17:59 +0200, Bo Berglund wrote: > > >What could be causing this strange behavior? > > > >It seems like when the server has been connected to it goes blind for a while > >but then returns to normal for a new comm session.

Re: [Openvpn-users] MSI Installer Source?

On Thu, Jun 3, 2021 at 3:12 PM Colin Ryan wrote: > > Folks, > > I've been customizing the NSIS installer for years. Want to look at > moving to the MSI installer. Is there a source file for the community > edition that I can use as a starting point? Have you checked openvpn-build? That's where bu

Re: [Openvpn-users] Ovpn 2fa auth

Hi On Thu, Jun 3, 2021 at 1:40 PM Gokan Atmaca wrote: > > Hello > > I am using Ubuntu server. I am using openvpn as SSL and TLS. PAM auth. > together... Now I want to use google mfa. I got the following errors > in the settings I made. > I can ssh sign with the same 2fa information. > > > What co

Re: [Openvpn-users] GUI auto-disconnect option

On Thu, May 27, 2021 at 11:40 AM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Thursday, 27 May 2021 16:25, Gert Doering wrote: > > > Hi, > > > > On Thu, May 27, 2021 at 04:33:54PM +0200, Bo Berglund wro

Re: [Openvpn-users] GUI auto-disconnect option

Hi, > HI, > > the OP did not follow up, so here it is: > https://forums.openvpn.net/viewtopic.php?f=10&t=32300 The user wants to automatically disconnect a connection when another one using a different config is started. > I guess it could be a useful switch ? > No, it's not. Not everyone want

Re: [Openvpn-users] How to disconnect a user from the server?

Hi, > > @selva I can't kill the whole client, as I'm doing a duplicate-cn. Hence I > had to kill via IP address and port to pinpoint exactly that user. > > However I have found a secret feature, which it seems you guys weren't aware > of. ;-) > > client-deny 4 0 "Disconnect Now" client-deny is

Re: [Openvpn-users] How to disconnect a user from the server?

On Tue, May 11, 2021 at 2:04 PM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 11 May 2021 15:07, Houman wrote: > > > Hello, > > > > I have been struggling to find a way to disconnect a specific

Re: [Openvpn-users] How to disconnect a user from the server?

Hi, Use "client-kill CID HALT" from the management interface. The third argument of this command is optional (defaults to RESTART) -- what you want is HALT. Use "status 2" to get the CID of the client. The client will get a termination signal. If you are using the Windows GUI for the client, it

[Openvpn-users] Adding RSA-PSS support in pkcs11-helper

Hi, Currently RSA-PSS signatures are handled in pkcs11-helper by asking the token to do raw RSA signature of data already padded by OpenSSL. Many new hardware tokens refuse to support this mode and require the padding to be done in hardware. For a recent user report see this thread: https://www.m

Re: [Openvpn-users] How to send 2nd factor to server ?

Hi On Wed, Apr 28, 2021 at 11:52 AM Gert Doering wrote: > > Hi, > > On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > > If interested, I can send the script over ( PAM is used for user > > auth against an MS AD, and Radius is used for SecurID, since that > > handle???s challenge-resp

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi Mike, On Wed, Apr 21, 2021 at 4:55 PM mike tancsa wrote: > On 4/21/2021 12:05 PM, Selva Nair wrote: > > I think that patch is still not applied upstream. I tested softhsm > > using your instructions and it works for TlS 1.3 and PSS -- softhsm2 > > gets request to sign p

Re: [Openvpn-users] How to send 2nd factor to server ?

Hi, On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote: > I stand corrected! That's very useful to know. > > Does the "OTP" keywork in the plugin correspond to the OTP argument in > the static challenge? > No, the argument to static-challenge is local to the client and only used for prompting

Re: [Openvpn-users] How to send 2nd factor to server ?

Hi On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson wrote: > > What you're looking for is the openvpn challenge/response protocol, > which can be used when authentication is done via the management > interface. > > https://openvpn.net/community-resources/management-interface/ > describes it a bit.

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi, On Wed, Apr 21, 2021 at 6:32 AM Jan Just Keijser wrote: > > Hi, > > On 20/04/21 20:05, Selva Nair wrote: > > On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > >> [...] > > >> This is surprising. SoftHSM would support raw RSA signatures

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi, On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > > Hi Selva, > ..some good info snipped.. > > I agree that it is better to stop using pkcs11-helper (if possible). I can > reproduce the problem using "softhsm" (from http://www.opendnssec.org/) as > well, thus you don't even need a

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi JJK, On Mon, Apr 19, 2021 at 7:19 AM Jan Just Keijser wrote: > Hi Selva, > > > On 15/04/21 20:20, Selva Nair wrote: > > [...] > > >> > >> > >> Another thing I am not clear on, is where the cert signature type is set > >> / required. I

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi, On Thu, Apr 15, 2021 at 1:46 PM mike tancsa wrote: > > On 4/14/2021 8:23 PM, Selva Nair wrote: > > > > You can restrict TLS version using th eoption --tls-version-min in > > OpenVPN config file, but restricting to TLS 1.2 is not enough with > > OpenSSL 1.1.1. I

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi, On Wed, Apr 14, 2021 at 8:09 PM mike tancsa wrote: > Thank you very much for the analysis and pointer. The application is a > kiosk type environment and for a number of reasons, the windows dialog > PIN popping up is not workable. Its been a while since I built OpenVPN > from source, but I

Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10

Hi, As per the logs its requesting unpadded signature of size 256 (padding = 3) which is expected with OpenSSL 1.1.1 and TLS 1.2 or 1.3 as the it requires PSS padded signature and OpenSSL provides the padded data to sign with padding = NONE. My guess would be that your hardware token doesn't suppo

Re: [Openvpn-users] Kill stale session at the server

Hi On Thu, Apr 8, 2021 at 6:53 PM Mason Walters via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > I've ran into this issue with 2.5 clients. Adding 'explicit-exit-notify' > to the client's config resolved it for me. > > > –explicit-exit-notify [n] > I have always felt that this (

Re: [Openvpn-users] Scripts initiated by Windows GUI DO pass data over VPN

Hi, > If I distribute my VPN client as a Zip file then what ever name I give the > VPN config file, I will obviously make the batch file the same. > * provider.ovpn > * provider_up.bat > This is certainly not a difficult hurdle to side-step. > > > > It's easy for an unsuspecting user to "import" a

Re: [Openvpn-users] Scripts initiated by Windows GUI DO pass data over VPN

Hi, On Fri, Apr 2, 2021 at 3:21 PM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > I have had to test this myself because I am a little shocked .. > > Using the Windows GUI and an up script named like so: > 'my_vpn_01_up.bat' > which is kept i

Re: [Openvpn-users] connecting to management interface from client-connect script?

Hi, On Wed, Mar 31, 2021 at 3:54 PM Aleksandar Ivanisevic < aleksan...@ivanisevic.de> wrote: > Hi, > > are there any restrictions on contacting the management interface from a > client-connect script? > OpenVPN is single threaded. The client-connect script blocks and the management interface can

Re: [Openvpn-users] ERROR: setrlimit() failed: Operation not permitted (errno=1)

HI, On Sat, Mar 20, 2021 at 4:57 PM Gert Doering wrote: > Hi, > > On Sat, Mar 20, 2021 at 12:20:45PM -0400, Selva Nair wrote: > > We should have probably made this not a FATAL error. > > The rules could be twisted a bit ("if uid == 0 then not fatal"), but > gen

Re: [Openvpn-users] ERROR: setrlimit() failed: Operation not permitted (errno=1)

Hi, If restricting capabilities, I think you will need to add CAP_SYS_RESOURCE to the bounding set in the systemd unit file. We should have probably made this not a FATAL error. Selva On Sat, Mar 20, 2021 at 12:00 PM tincanteksup wrote: > It should make no difference but I do not use --user/-

Re: [Openvpn-users] Can command line take multi parameter options? openvpn --remote "ip port" fails

Hi, On Thu, Mar 18, 2021 at 7:50 PM 8187--- via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Hello, list, > > This is probably obvious to the rest of you, but I am not able to give > openvpn multi parameter options on the command line: > > sudo openvpn --remote "127.0.0.1 10153"

Re: [Openvpn-users] Windows ovpn server DHCP

Hi, On Sun, Feb 28, 2021 at 9:51 AM tincanteksup wrote: > Hi, > > Ref: https://forums.openvpn.net/viewtopic.php?f=6&t=31928 > > I recall that there is some `netsh` setting that can effect DHCP working > but I cannot remember what it is or where it was documented. > > I believe it is something to

Re: [Openvpn-users] [Openvpn-devel] [Openvpn-devel/users] Debugging Windows based server scripts

Hi, On Wed, Feb 17, 2021 at 5:38 PM tincanteksup wrote: > Hi, > > due to not being allowed to have scripts "echo data" to the log file > under Windows, debugging scripts is next to impossible. > > I presume there are no compile time options to enable "echo" under Windows > ? > > Could anybody pr

Re: [Openvpn-users] Windows GUI user/pass time out

uld change in future. And, my name is out of place in here.. -- Selva On Thu, Dec 24, 2020 at 3:20 PM tincanteksup wrote: > > On 24/12/2020 19:43, Selva Nair wrote: > > Hi, > > > > On Thu, Dec 24, 2020 at 1:10 PM tincanteksup > wrote: > > > >> Hi, >

Re: [Openvpn-users] Windows GUI user/pass time out

Hi, On Thu, Dec 24, 2020 at 1:10 PM tincanteksup wrote: > Hi, > > there is a forum thread: > https://forums.openvpn.net/viewtopic.php?f=6&t=31529#p96550 > > Which wants to know if the "enter user/pass timeout" can be configured. > The way it works is like this: if username/password is available

Re: [Openvpn-users] auth-pam plugin function failed on openvpn 2.5.0

Hi, On Tue, Nov 3, 2020 at 4:38 PM Jordan Borgner wrote: > Hello all. > > I just installed openvpn 2.5.0 on archlinux. However, I'm having > problems with the auth-pam plugin. Users are not able to authenticate > themselves. They will get an error indicating that the password is > incorrent alth

Re: [Openvpn-users] [ext] WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'

Hi On Thu, Oct 29, 2020 at 10:55 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > > True, but this "config mismatch warning" stuff should actually > > be checked before GCM is negotiated, so there *should* not be a > > mismatch if both sides have it in their config. > > Yes, it's ugly.

Re: [Openvpn-users] OpenVPN GUI Windows, OpenVPN running as service

Hi On Tue, Sep 22, 2020 at 6:51 AM Helmut Schneider wrote: > Am 21.09.2020 um 23:16 schrieb Selva Nair: > > > On Mon, Sep 21, 2020 at 9:11 AM Helmut Schneider > <mailto:jumpe...@gmx.de>> wrote: > > > > Hi, > > > > I'm running OpenV

Re: [Openvpn-users] OpenVPN GUI Windows, OpenVPN running as service

Hi On Mon, Sep 21, 2020 at 9:11 AM Helmut Schneider wrote: > Hi, > > I'm running OpenVPN GUI as Service on Windows 10. I do not understand what that means. Are you referring to the OpenVPN Interactive Service? > When I start the GUI > the status isn't diplayed (not green) allthough the servi

Re: [Openvpn-users] Facetime bypassing the tunnel

Hi, I think it's a known "feature" that some apple services including facetime bypasses the VPN tunnel. See the link below which is for the connect client, but the community version should behave the same in this particular case. https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-conne

Re: [Openvpn-users] Join PC with OpenVpn to Active Directory

Hi, If your VPN establishes a route to the domain controller(s) and the domain name resolves from the client, you can join the domain just as you would do while directly connected to the LAN. For example, if the domain name is example.local, "nslookup example.local" should return the IP addresses

Re: [Openvpn-users] OpenVPN issues with Windows NLA

Hi On Thu, Jul 2, 2020 at 1:08 PM Marco De Vitis wrote: > Il 01/07/20 21:18, Selva Nair ha scritto: > > fwiw, try removing the pushed block-outside-dns by adding this to the > client config: > > pull-filter ignore block-outside-dns > > > Hi, > I tried this and inde

Re: [Openvpn-users] OpenVPN issues with Windows NLA

On Wed, Jul 1, 2020 at 3:18 PM Selva Nair wrote: > > Hi, > > On Wed, Jul 1, 2020 at 3:09 PM Marco De Vitis wrote: .. > > But why should this make NLA fail? DNS resolution using the VPN DNS > > server appears to work fine for every address, including the one which &g

Re: [Openvpn-users] OpenVPN issues with Windows NLA

Hi, On Wed, Jul 1, 2020 at 3:09 PM Marco De Vitis wrote: > > Il 01/07/20 20:21, tincanteksup ha scritto: > > The post you made on the forum suggests that you have set a default > > gateway on the TAP adapter .. > > Do not do that. > Well yes, it's an attempt I made because I saw everyone in that

Re: [Openvpn-users] OpenVPN issues with Windows NLA

Hi On Wed, Jul 1, 2020 at 12:45 PM Jan Just Keijser wrote: > > Hi, > > On 01/07/20 14:51, Marco De Vitis wrote: > > Hi, > I use OpenVPN client 2.4.9 on Windows 10 (v2004), and I have issues with the > Network Location Awareness (NLA) Windows service. > > The issue is essentially described here,

Re: [Openvpn-users] OpenVPN issues with Windows NLA

Hi On Wed, Jul 1, 2020 at 11:21 AM Marco De Vitis wrote: > > Hi, > I use OpenVPN client 2.4.9 on Windows 10 (v2004), and I have issues with the > Network Location Awareness (NLA) Windows service. > > The issue is essentially described here, even though it dates back to Windows > 7: > https://d

Re: [Openvpn-users] graceful client disconnect

> Thanks, Almost perfect! ;) Now, is there a way to send RESTART control > message only to the specific client, or at least decide in runtime what the > n parameter will be, as I don’t know in advance whether the server will be > restarted to rebalance the clients or to change the configuration. >

Re: [Openvpn-users] syslog, drop Port Sharing Messages

ning once, but 2x the entries to syslog. > Actually, I see that for all (OpenVPN) messages. Hmmm. > > Will keep digging, thanks! > > ... Russell > > > > -Original Message- > From: Selva Nair > Sent: Tuesday, May 26, 2020 1:56 PM > To: Morris, Russell > Cc:

Re: [Openvpn-users] syslog, drop Port Sharing Messages

Hi On Tue, May 26, 2020 at 2:28 PM Morris, Russell wrote: > > It's possible, I won't say it's not ... LOL. FYI, all I did was add this to > the server config file (for testing for now), > client-connect "/usr/bin/logger -t openvpn client connect successful" > > And then I monitored network traff

Re: [Openvpn-users] weird floating requests when restarting server

Hi On Mon, May 25, 2020 at 1:28 PM Aleksandar Ivanisevic wrote: > > Hi, > > every time I restart the server (2.4.7 from debian 10.4) i see weird floating > requests, e.g. > > May 22 19:27:52 qbs01 openvpn[16384]: Float requested for peer 1 to > 1.2.3.4:5002 > > followed immediately by > > May 2

Re: [Openvpn-users] syslog, drop Port Sharing Messages

elva! > > Good to hear from you. Hope all is going well there - and hope you and your > family are staying safe. > > Thanks for the info - will give this a try. Have you used it BTW? And do you > see it as faster / lower CPU load? > > Thanks again, > ... Russell >

Re: [Openvpn-users] syslog, drop Port Sharing Messages

Hi Russel, Greetings! > > Perhaps a dumb question, but I’m setting up a Graylog (syslog) server, and > finding that I see a lot of records like the one below – I believe because > I’m port sharing (and have to, not really an option there). Just to make sure > though … I think it’s pretty safe

Re: [Openvpn-users] disable "auth-nocache" by push?

Hi On Mon, May 4, 2020 at 8:51 AM Dajka Tamás wrote: > Hi, > > > > is it possible to disable „auth-nocache” in the client by a PUSH message? > I mean, if the „auth-nocache” is SET in the client.conf to „reenable” > credentials caching. What’s the logic behind? When we deployed the clients > we d

Re: [Openvpn-users] OTP + auth-token

zed client id means already authenticated and sending alient-auth-nt. In that case you can force a full auth when needed by sending a "client-deny reason" which will trigger a new auth dialog at the client side. Selva > > > Thanks, > > > >Tom > &

Re: [Openvpn-users] OTP + auth-token

Hi, On Thu, Apr 30, 2020 at 11:16 AM Dajka Tamás wrote: > Hi All, > > > > I assume the issue from 2017 with auth-nocache + auth-token still exists. > However, I’ve bumped into something, which I cannot understand. Same setup > with OTP, but removed the ’auth-nocache’ from the client.conf. > I w

Re: [Openvpn-users] Google OTP With auth-user-pass-verify (2FA)

On Fri, Apr 24, 2020 at 7:10 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 21/04/2020 20:34, Selva Nair wrote: > > Hi, > > > > On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair < > vertigo.alt...@gmail.com > > <mailto:vertigo.alt...

Re: [Openvpn-users] Google OTP With auth-user-pass-verify (2FA)

Hi, On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair wrote: > Hi OpenVPN People, > I have a OpenVPN server, in this server, I'm authenticating users with my > external program (via --auth-user-pass-verify option). There is no problem > in this situation. > I want to add Two Factor Auth. with goog

Re: [Openvpn-users] crl-verify [SOLVED]

Hi, On Thu, Apr 16, 2020 at 10:41 PM tincanteksup wrote: > > Missing the point completely. > > *Why* does openvpn expect a decimal value for something which is clearly > intended to be and is at source Hex. What the the ideal format should be is arguable, but the "source" is not in hex. Serial n

  1   2   3   4   >