[Top posting, to follow convention]
The "new" EasyRSA 3.x code/tool doesn't appear to have the problem you're
talking about. [I've recently tested with it, and revoking certs works fine -
at least with the options I'm using - there are obviously other code paths, and
perhaps they would produce
This is on Windows 7. Before I used the 'easy-rsa' script for RSA keys. Now I
would like to know how to generate CA, server, client, etc. using ECDSA keys?
Thanks!
[Sorry, forgot to post to the list...]
The GIT version of EasyRSA will do EC keys/certs. [You can just download it and
use it
New Windows install on a new machine.
New OVPN install too, obviously.
I'm using old config files, but I don't think the config file is part of the
problem.
The error I keep getting in the logs, follows. [Repeats endlessly.]
---
Wed Feb 24 13:13:53 2016 TCP: connect to [AF_INET]xx.xx.xx.151:1194
On Wed, Feb 24, 2016 at 4:32 PM, Gregory Sloop wrote:
New Windows install on a new machine.
New OVPN install too, obviously.
I'm using old config files, but I don't think the config file is part of the
problem.
The error I keep getting in the logs, follows. [Repeats endlessly.]
-
On Wed, Feb 24, 2016 at 6:48 PM, Gregory Sloop wrote:
I'll poke at some other stuff, but this is a _really_ odd situation. Glad for
any pointers anyone might have.
Easy to check the connectivity as this is tcp: Try
telnet serverA 1194
You may have to enable/install telnet fro
GD> Hi,
GD> On Wed, Feb 24, 2016 at 01:32:40PM -0800, Gregory Sloop wrote:
>> The error I keep getting in the logs, follows. [Repeats endlessly.]
>> ---
>> Wed Feb 24 13:13:53 2016 TCP: connect to [AF_INET]xx.xx.xx.151:1194 failed,
>> will try again in 5 secon
A working Quantum computer with sufficient capacity will obsolete EC, RSA etc.
It will all be game-over.
End of story. [At least mostly.]
But by the time a quantum computer with the sufficient qbits becomes available,
we'll likely understand [a lot] better the ramifications of such a machine and
So, IMO, EasyRSA is pretty broken.
[I'll skip the discussion about why. Go try to run it on Windows and see how
that works, then then we can talk. Also, key encryption defaults.]
I also often need to generate certs for other things and GNU TLS's CertTool
works pretty well.
I'd like to use one t
SK> On 09-08-17 19:34, Gregory Sloop wrote:
>> I also often need to generate certs for other things and GNU TLS's
>> CertTool works pretty well.
>> I'd like to use one tool to generate all the certificates I generally
>> need - it's just easier to keep tra
So a few observations and possible clues/issues:
I should probably do another test, though I'm worn out from all the hassle of
the last go-round. [But I think I kept all the "test" certs I used, so testing
should be easier...]
But I think your cert shows:
X509v3 extensions:
Hi,
On 29/08/17 22:06, Gregory Sloop wrote:
Re: [Openvpn-users] Server vs Client cert generation So a few observations and
possible clues/issues:
I should probably do another test, though I'm worn out from all the hassle of
the last go-round. [But I think I kept all the "test&quo
Top Posting:
UDP is preferred vs TCP because of TCP inside TCP issues - e.g. TCP sliding
window ACK inside another TCP sliding window ACK. As packet loss increases,
this becomes a huge problem. Essentailly, you have TCP stream inside the OVPN
tunnel, and it's being ferried to the remote site/c
Top posting
JJK> The only thing you can do, is to run something like Traffic Control (tc)
JJK> on the link to prioritize low latency traffic compared to bulk
JJK> downloads. If I throttle my iperf session to use 80% of the maximum link
JJK> speed then the ping times remain much lower. When the li
The short answer is:
If the traffic going "inside" the tunnel is UDP based, it's already built to
handle packet loss.
If the traffic going "inside" the tunnel is TCP based, it's going to be handled
by the TCP connection that's encapsulated by the tunnel. [i.e. The TCP
connection will re-transmi
F> Additional information:
F> I have the vpn working properly through a wireless router to my work
F> network. No errors
F> in the server logs. But when I switch to my phone providers network
F> (rogers quebec canada)
F> I then start getting the errors and I cannot surf with the browser.
Top posting:
This is exactly right - many ISP's are *NOT* generating/returning the ICMP
"Fragmentation needed" responses - in which case, your reliance on PMTU will
result in a completely failed connection. [For my users, at least, that's the
*MOST UNDESIRABLE* option of any.]
Using a smaller
___
F> Openvpn-users mailing list
F> Openvpn-users@lists.sourceforge.net
F> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net
http://www.sloop.net
---_
[I just realized I failed to post this to the list and only to Bonno. Sorry
Bonno, you'll get it twice now! :) ]
Probably not the answer you're looking for - but I gave up on EasyRSA a while
ago. [It's unevenly updated, had serious problems, was concerned about the
default key security (in an e
18 matches
Mail list logo
