If I'm correctly reading into how OpenVPN works the server is in some
sense stateful in that it has to remember the association of the
original source address of a client with the client's VPN address in
order to route a reply packet back to it. Are there other things it
remembers about the co
en a
well-labeled C struct would be fine, I just don't know how extensive the
source code is).
On 11/29/2015 03:56 AM, Steffan Karger wrote:
> Hi,
>
> On Sun, Nov 29, 2015 at 6:26 AM, Leroy Tennison
> wrote:
>> If I'm correctly reading into how OpenVPN works the serve
A couple of thoughts come to mind. First, if node 254 is always active
then "well-behaved" DHCP clients should test for that and never accept
that address. Second, if OpenVPN is using that address then hopefully
the developers had enough foresight to prevent it from passing out that
address.
I have been asked to set up a site-to-site OpenVPN instead of using
IPSec and there are some things I'm not sure about. I'm mostly familiar
with "road warrior" implementations. Assuming a tun implementation, how
does site-to-site work as far as routing is concerned? I've searched
the web and
Is there a way to get these messages to be sent to the log file specified in
OpenVPN's configuration file? I see a reference to the "--echo [parms...]"
configuration but there is no explanation about the definition of parms.
Thanks for any and all help.
And I forgot to mention:
Make sure the selected port isn't being used by anything else.
Adjust your firewall settings to accept the new port.
On 07/07/2018 10:44 PM, Leroy Tennison wrote:
Yes, just change the port specification in the openvpn's *.conf file and restart
the server
Yes, just change the port specification in the openvpn's *.conf file and
restart the server. Use the same port on the client.
On 07/07/2018 10:07 PM, James Peng via Openvpn-users wrote:
Hello,
Can I change my personal openVPN server’s the default port number? How about
8080 to make it looks
I need to set up a "point to point" VPN between two sites, I use the term
"point to point" loosely since the endpoint systems on each end aren't really a
system but a fail over pair of systems. We had a true point-to-point
connection but then setup a fail over pair of servers at "Site 1". When
s my issue.
And, again, given the challenge, I'm open to any and all input I can receive on
this approach.
-Original Message-
From: Jan Just Keijser
To: Leroy Tennison ; openvpn-users
Sent: Mon, Nov 12, 2018 4:43 am
Subject: Re: [Openvpn-users] "Point to point" vpn fail
allows us to have either system at
either end up and have a functioning point-to-point equivalent. I'm replying
mainly to provide my experience to any one else who faces the same issue.
Thanks for everyones input.
-Original Message-
From: Jan Just Keijser
To: Leroy Tennison
If i put the following in my client configuration file:
up /tmp/openvpn-test
OpenVPN won't start.
openvpn-test is world-readable and contains:
#!/bin/bash/bin/echo "$1 $2 $3" > /tmp/openvpn-showexit 0
What am I doing wrong? Thanks for your help.___
Ope
I don't know what happened to my last response but the problem was systemd,
using "systemctl start openvpn@leroy" with "verb 6" produced
Options error: --up script fails with '/tmp/openvpn-test': No such file or
directory
However, "ls -al /tmp/openvpn-show" returns (and yes, I have "script-secur
I previously believed that all IP network communication was done at layer 2 via
arp and transmitting to the MAC address of the system responding for it's IP
address. Then I realized that OpenVPN doesn't have MAC addresses, so how does
communication coming into an OpenVPN server from a non-OpenV
That is an impressive diagram, I'm going to have to spend some time working
through it - thank you.
-Original Message-
From: Pippin
To: Leroy Tennison
Cc: openvpn-users
Sent: Mon, Nov 11, 2019 6:33 am
Subject: Re: [Openvpn-users] Communicating to OpenVPN
Hi,
Maybe this diagra
Running OpenVPN 2.3.10 on Ubuntu 16.04 using a working configuration with only
the "script-security" and "client-connect" lines added. Starting the OpenVPN
server with systemctl starts it successfully and a client can connect but the
client-connect script doesn't run and no error is reported in
cript but, with a working
configuration I don't have the time luxury to troubleshoot that.
Thank you for your help, I certainly appreciate it.
-Original Message-
From: Jan Just Keijser
To: Leroy Tennison ; openvpn-users
Sent: Sun, Dec 29, 2019 10:33 am
Subject: Re: [Openvpn-users
Admittedly, and older server version (2.3) but is there a way to specify
multiple DNS search suffixes for a Windows (10 if that makes a difference)
client. The clients are part of a domain but I have no control over them via
that avenue. I've tried multiple dhcp-option DOMAiN entries and the l
Thanks for the reply - you saved me the frustration and time of trying to find
a non-existent solution.
-Original Message-
From: Gert Doering
To: Leroy Tennison
Cc: openvpn-users
Sent: Sun, Mar 1, 2020 1:15 am
Subject: Re: [Openvpn-users] Multiple DNS search suffixes on Windows
Hi
Interesting - wasn't aware of that. So even if OpenVPN added the feature it
might not work...
-Original Message-
From: Selva Nair
To: Gert Doering
Cc: Leroy Tennison ; openvpn users list
(openvpn-users@lists.sourceforge.net)
Sent: Sun, Mar 1, 2020 9:29 am
Subject: Re: [Op
Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to
encrypt and transmit a symmetric key which is then used for all future
communication?___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourcef
Server is 2.3.10, clients are "various" (but not older than 2.3.10). A few
questions:
Is there a way to tell what cipher an active connection is using?
If i want to set a cipher on the server, do all clients have to be explicitly
configured the same way? Put another way, is there a way to migra
I had a situation today where i was asked "telnet to the port, see if it
connects" to check their firewall configuration. I realize this isn't going to
work because telnet is tcp and the configuration is udp but it caused me to
wonder "Is there a way to test protocol connectivity (are udp packe
Thank you, you've given me options to try, I appreciate it.
-Original Message-
From: Gert Doering
To: Leroy Tennison
Cc: openvpn-users
Sent: Wed, Apr 29, 2020 12:50 am
Subject: Re: [Openvpn-users] cipher selection
Hi,
On Tue, Apr 28, 2020 at 10:23:10PM +0000, Leroy Tenniso
e-
From: Gert Doering
To: Leroy Tennison
Cc: openvpn-users
Sent: Wed, Apr 29, 2020 12:50 am
Subject: Re: [Openvpn-users] cipher selection
Hi,
On Tue, Apr 28, 2020 at 10:23:10PM +, Leroy Tennison via Openvpn-users
wrote:
> Server is 2.3.10, clients are "various" (but not o
Thanks for the clarification. I noticed your "upgrade" statement, just didn't
assume a strict dependency of the ".. OCC..." statement with the upgrade
statement. Working on an upgrade plan...
-Original Message-
From: Gert Doering
To: Leroy Tennison
Cc: open
I've seen a couple of replies to this but no direct answer to my question,
sounds like OpenVPN works similar to https, correct?
-Original Message-
From: Leroy Tennison via Openvpn-users
To: openvpn-users
Sent: Tue, Apr 28, 2020 5:28 pm
Subject: [Openvpn-users] OpenVPN architectur
Thank you, I appreciate the detailed response.
-Original Message-
From: Gert Doering
To: Leroy Tennison
Cc: openvpn-users
Sent: Wed, Apr 29, 2020 11:53 am
Subject: Re: [Openvpn-users] OpenVPN architecture
Hi,
On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users
You may be able to do it, my concern would be "route confusion". We have that
situation with OpenVPN and a different VPN offering the same subnet to a
Windows client (two entries to the same subnet via different paths in Windows'
routing table) and it's not working. I have also tried having tw
We use OpenVPN but are getting requests from customers for IPSec. In doing
research I came across a reference stating the OpenVPN development team has
"subscribed to" some standard for secure development but, of course, now I
can't find it. Does anyone have a reference to what I'm talking abou
A way, although not perfect, is to implement the status log. You would have to
back it up periodically and retain a year's copies. The limitation is that it
is a snapshot of the status and you could easily miss a temporary connection.
A better way would be to implement a client-connect script
This doesn't directly answer your question but we have done what you are about
to do and didn't have any problems. In our situation OpenVPN ran on a VM so we
did a backup of the image beforehand. Ubuntu is pretty good about not
replacing configuration files with customizations without promptin
Maybe I'm missing something here but, if the RPI is running an ssh server and
there are no "blocking" firewall rules, can you not connect to it via the VPN
IP address it takes on when it establishes the VPN connection? You may need
routes on your LAN for the VPN subnet routing traffic to the VP
Trying to find information on how OpenVPN uses the keys generated for the
client and server to encrypt traffic and not having any success (maybe I'm not
searching for the right terms). Can someone explain or point me to a URL
explaining how OpenVPN encrypts traffic once authentication is succes
If this gets too complicated, another option may be to run multiple OpenVPN
servers, each with its unique access parameters. It's certainly more work but
might make each configuration simpler and easier to understand with the benefit
possibly outweighing the effort.
-Original Message
After 10 years this happened to us, fortunately on a small VPN. In rushing to
get service restored, i used easy-rsa's build-ca, big mistake - had to
recreate all client certificates. After some research I found that "openssl
x509 -in /etc/openvpn/easy-rsa/keys/ca.crt -days 3650 -out ca-v2.crt
inal"
CA.
You make a very good point about "refreshing" the configuration files to make
sure they're up-to-date since everything is having to be updated anyway, thanks
for mentioning it.
-Original Message-
From: tincantech
To: Leroy Tennison
Sent: Fri, Oct 28, 2022
Works but is painful on Ubuntu 22.04. I'm using "plugin
/usr/lib/openvpn/openvpn-plugin-auth-pam.so login" in the server configuration
and "auth-user-pass" in the client configuration per
https://openvpn.net/community-resources/using-alternative-authentication-methods/.
If started from a user
I have a situation where the conf file was modified by someone else but no
backup was made (I know, bad practice, I don't have control over that) but ps
seems to indicate that OpenVPN wasn't restarted afterward. Looking at the
command line displayed by ps, the config file is listed and the para
Without seeing both conf files, I can only guess at the issue but, did you use
different "local" directives in each conf file?
On Saturday, July 22, 2023 at 08:02:17 AM CDT, Jason Long via Openvpn-users
wrote:
Hello,
My OpenVPN server has two NICs and both of them are connected to the
Not knowing what your first conf file contained but seeing that your second
file is using the default 1194 port, I'm guessing that you need to change that
to something like 1195 (assuming nothing else is using it). That will mean
adjusting the client conf file to use the different port as well
Thank you, that is very helpful. verb is currently 3 but that is easy to
change in the management console.
On Saturday, July 22, 2023 at 10:57:44 AM CDT, Selva Nair
wrote:
On Sat, Jul 22, 2023 at 3:20 AM Leroy Tennison via Openvpn-users
wrote:
I have a situation where the conf
July 23, 2023 at 06:23:37 AM CDT, Jason Long
wrote:
Hello,
Thank you so much for your reply.
This is normal in Linux. When you have two NAT NICs, just one of them is used
to connect to the Internet. You must write routing tables. Does OpenVPN do this
routing itself?
On Sunday, July 23,
A company I consult with is running three OpenVPN servers on a single NIC.
Either the port or possibly the protocol has to be different. And there are
cautions about running OpenVPN on tcp so probably best to stick to different
ports. In the situation above one OpenVPN instance used udp and
See
https://serverfault.com/questions/1074672/where-and-how-should-i-define-openvpn-user-pass
and
https://openvpn.net/community-resources/using-alternative-authentication-methods/
On Monday, July 24, 2023 at 05:44:16 AM CDT, Jason Long via Openvpn-users
wrote:
Hello,
Thank you so muc
is disconnected from
the internal network. How to solve it? Can you show me an example?
On Monday, July 24, 2023 at 09:17:48 AM GMT+3:30, Leroy Tennison via
Openvpn-users wrote:
I'm a little unclear about your question so hopefully this general reply will
help. OpenVPN'
Below is the script I'm attempting to use (IP address obfuscated but is valid,
domain search obfuscated - wouldn't be valid)
#!/bin/bash/usr/bin/echo "Params dev $dev and script type $script_type" >>
/tmp/vpn-dnscase "$script_type" in up) resolvectl dns $dev 10.10.10.1
/usr/bin/ec
These are truly wild guesses but did you recreate the server cert? Does your
server conf file and your client's conf or ovpn file refer to the new certs
(and dh file for the server)? I assume you've restarted both. Have you
boosted the logging to see if anything surfaces? Have you run a sta
Published articles say it affects all VPNs due seemingly to a DHCP
man-in-the-middle attack. I was under the impression that VPNs were encrypted
end-to-end from the very start and thus don't see how a man-in-the-middle could
have any effect. Am I mis-understanding the architecture for OpenVPN
Thanks for your reply, I appreciate it. So basically no encryption has been
compromised and only traffic originally intended for the VPN has been
mis-directed?
On Wednesday, May 15, 2024 at 01:32:31 AM CDT, Gert Doering
wrote:
Hi,
On Wed, May 15, 2024 at 02:39:42AM +, Leroy
Was working on a remote system (a local NIC on a network not associated with
the one I was on and the OpenVPN tun interface) with a request to change the
local system's IP address. Fortunately I warned the remote staff that I might
need their assistance. I added the new local IP address. When
Thanks for replying, I'll look into the things you mentioned.
On Monday, July 8, 2024 at 01:33:01 AM CDT, Gert Doering
wrote:
Hi,
On Sun, Jul 07, 2024 at 10:33:35PM +0000, Leroy Tennison via Openvpn-users
wrote:
> Was working on a remote system (a local NIC on a net
168.1.10/24 dev eth0
Hope this helps someone else avoid the same issue.
On Monday, July 8, 2024 at 01:33:01 AM CDT, Gert Doering
wrote:
Hi,
On Sun, Jul 07, 2024 at 10:33:35PM +, Leroy Tennison via Openvpn-users
wrote:
> Was working on a remote system (a local NIC on a network not
I understand, in this case it was a client.
On Thursday, July 11, 2024 at 01:27:22 AM CDT, Bo Berglund
wrote:
On Thu, 11 Jul 2024 00:37:26 + (UTC), Leroy Tennison via Openvpn-users
wrote:
> After some testing I determined that this was my fault. i wasn't connecting
>
53 matches
Mail list logo
