ungscache wurde geleert.
Fri May 24 12:10:21 2013 C:\windows\system32\ipconfig.exe /registerdns
Windows-IP-Konfiguration
Die Registrierung der DNS-Ressourceneintr„ge fr alle Adapter
dieses Computer wurde initialisiert. Fehler werden in der
Ereignisanzeige in 15 Minuten aufgefhrt.
Fri May 24
puters.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.5
rstand why openvpn doesn't auto-negotiate this.
I was wondering about this as well. This makes it extremely hard to
every change the cipher (i.e. if it's not considered "safe" anymore)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra
ve to give the user two configs, one containing:
proto udp
remote gateway.charite.de 1194
and the other
proto tcp
remote vpn-last-resort.charite.de 443
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.
* Krishna Murthy :
> hi
>
> wrapping connection TLSv1 & SSLv2 how to fix this problem pls help me
Which problem?
> WRAPPING MY ALL OPENVPN CONNECTION & YOUR FREEDOM Pls see below
Wrapping into what?
Which program generated the logs?
--
Ralf Hildebrandt
e='openvpn --version'
dir='C:\Users\Acer\Documents\Wichtige Dokumente\Charite\OpenVPN\bin'
and an OK button on the bottom right.
Problem: Even upon reinstallation with correct (default) paths, the
error message above tends to stick.
Where is that path stored?
* Gert Doering :
> Hi,
>
> On Thu, Dec 05, 2013 at 09:52:08AM +0100, Ralf Hildebrandt wrote:
> > Problem: Even upon reinstallation with correct (default) paths, the
> > error message above tends to stick.
> >
> > Where is that path stored? How can I fix this?
or OpenVPN-GUI. This installer is not, however, included in
> 2.3.x, and probably never will, because it might cause other issues
> which we don't want in stable releases. It will be bundled with the
> upcoming OpenVPN 2.4 installers, though.
--
Ralf Hildebrandt Ch
* Gert Doering :
> Hi,
>
> On Fri, Dec 06, 2013 at 03:28:14PM +0100, Ralf Hildebrandt wrote:
> > OK, so one would have to delete the keys. Which keys?
> > Great, where do I find those?
>
> Sorry for the omission :-) - Heiko mentioned them yesterday, but only
>
aracters.
>
> Have you some information about this problem ?
Is it also in a recent version of openvpn?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 122
7;s very nice and fair.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk f
I installed openvpn to a wrong folder, then I reinstalled and
installed it to the correct folder. Now I'm getting:
CreateProcess failed, exe=’D:\Lukas\Apps\personalVPN\bin\openvpn.exe’
cmdline=’openvpn—version’ dir=’D:\Lukas\Apps\personalVPN\bin’
How can that be fixed?
--
Ralf Hildeb
for various users.
> For now you can fix this by either removing OpenVPN-GUI's registry keys
> and running OpenVPN-GUI (as an admin), or by changing the value of the
> registry key which tells OpenVPN-GUI where to look for openvpn.exe.
Which keys are those?
--
Ralf Hildebrandt
the FAQ?
Yes please. At least until the new GUI comes our way.
> Who *is* maintaining the FAQ these days anyway, and where...?
Who's changingthe paths and why? I hate my users. And I hate Windows 8.1!
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...
> > Which keys are those?
> >
> Look into HKEY_LOCAL_MACHINE\Software\OpenVPN-GUI. The registry key
> names are self-explanatory.
Indeed. It was very simple. I deleted the whole
HKEY_LOCAL_MACHINE\Software\OpenVPN-GUI subtree
--
Ralf Hildebrandt Charite U
During that time NOTHING is
being logged on the client side (!).
After some time the server notices that the client went missing.
* clicking on "reconnect" in the status window on the client makes the
connection work for another 4 minutes.
Any ideas on that one?
--
Ralf Hil
Are there currently recommendations for the ciphers when dealing with
clients >= 2.3.6 (Cross-platform; windows, mac os x, Linux)?
I've seen:
cipher AES-256-CBC
keysize 256
auth SHA256
and:
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-SHA
--
Ralf Hil
n into tunnelblick"
> - this is the level of users we're dealing with.
Same here.
> They wouldn't know about "files" and "move to correct directory,
> replacing the file that is already there"...
Same here.
--
Ralf Hildebrandt
on Win32 only (ignoring it on osx/linux is ok)
* do I need to change the config on the client or can that be pushed from the
server?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://
erwise some testers reported DNS latencies in the first few minutes
> of VPN usage.
A side issue there with register-dns:
https://community.openvpn.net/openvpn/ticket/570
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus
wonder if the installer could be "universal" (meaning it could
contain both 32 and 64 bit versions and choose the correct arch
automatically).
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
ht
me up with a
> final installer!" and is sufficiently... $insertpoliteword that is not
> easy to extend.
>
> But then, it's not mine anyway, maybe Samuli likes this idea so much... :-)
Unlikely :)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hil
* Selva Nair :
> manifest, but personally I think that's too invasive as there could be
> legitimate users who do not need to set routes, for example.
You mean a bridged VPN (TAP?)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...
* debbie...@gmail.com :
> FYI:
> There appears to be something badly wrong with
> https://community.openvpn.net/openvpn/wiki/TitleIndex
...
Welcome to the wonderful world of wiki spam
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@c
I found this
https://www.lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story
Is setting sndbuf/rcvbuf really a good solution?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de
* Samuli Seppänen :
> Hi,
>
> Should we have a separate apt repository for "unstable" apt packages?
Yes please. Do have a look at how dovecot does it:
http://wiki2.dovecot.org/PrebuiltBinaries#Debian
there is "stable" and "testing"
--
Ral
in this context
([PUSH-OPTIONS])
Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this context
([PUSH-OPTIONS])
one line for each "setenv opt".
Is my syntax correct? I wanted to make "register-dns" and
"block-outside-dns" optional for
ble to make "register-dns" and "block-outside-dns" entirely
optional (on OS X / Linux), I'd have a "clean" log.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.
> "push-peer-info" will tell you whether a client supports LZ4 or not.
How do I use that?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 1220
* Jan Just Keijser :
> by adding
> compression
compress
> or
> comp-lzo
> to the client config, you turn on the compression bit in each packet, and
> thus allow the server to push the compression algorithm of choice to all
> clients.
--
Ralf Hildebrandt
* Jonathan K. Bullard :
> Hi,
>
> On Thu, Nov 16, 2017 at 5:45 AM, Ralf Hildebrandt
> wrote:
> > * Jan Just Keijser :
> >
> >> yes, pretty much: all clients that have 'comp-lzo' in the client config and
> >> that support LZ4 can be told to use
"Enabling LZO compression for client $common_name"
> echo "comp-lzo" >> $1
> echo "push \"comp-lzo\"" >> $1
> fi
Awesome.
I'll try this.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra
eb/10.31.111.66 Bad LZO decompression
header byte: 251
Nov 17 13:42:05 openvpn udp[23345]: hildeb/10.31.111.66 Bad LZO decompression
header byte: 251
Nov 17 13:42:05 openvpn udp[23345]: hildeb/10.31.111.66 Bad LZO decompression
header byte: 251
I'm using openvpn for mac (2.4.4)...
--
* Jan Just Keijser :
> keep in mind that you also need to tell the server to use LZ4 for your
> client; in my original script I was writing out
> compress lz4
> push "compress lz4"
>
> your server seems "stuck" on "compress lzo
My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
users.
Is there any way for me to display informational messages on the
users's computer when they're loggin in via VPN?
--
Ralf H
* Jonathan K. Bullard :
> Hi,
>
> On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt
> wrote:
> > My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
> > some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
> > users.
> >
&g
> I agree with Selva that it would be a good idea to standardize "echo"
> commands, so I will start a new thread about that.
I totally agree.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjami
key
115 TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
1617 TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
17756 TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.
n DNS dynamically", VPN would work as
expected.
openvpn did not log anything regaring the DNS server (I do know that
the Mac OS Tunnelblick VPN client issues a warning in that case).
Is this intentional?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@
est outside the VPN tunnel with --udp. Does that
> give different results?
Beware, UDP is limited to 1 Mbit in iperf ("default 1 Mbit/sec for
UDP, unlimited for TCP"), thus:
iperf3 --udp --bandwidth 200M -c 172.31.254.1
Also, check CPU on both machines to see if
pression, why not turn compression off - on the fly - for every
client?
How would I push an "empty" compression parameter?
Is this feasible at all?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Fr
is:
if ($version =~ "2\.3\.") {
push @outline, 'compress lzo';
push @outline, 'push "compress lzo"';
}
else {
push @outline, 'compress';
push @outline, 'push "compress"';
# compression considered insecure
}
* Ralf Hildebrandt :
> In the end I resorted to this:
>
> if ($version =~ "2\.3\.") {
>push @outline, 'compress lzo';
>push @outline, 'push "compress lzo"';
> }
> else {
>push @outline, 'compress';
>
ules, both on the box itself and in the core network.
UDP or TCP? We're also seeing this a lot, especially with some DSL
providers having issues with UDP traffic...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Ben
S 192.168.6.54"
How does the client use openvpn? Via NetworkManager or via the command
line. I guess the latter.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdam
* Stefanie Leisestreichler :
> Thu Mar 14 14:46:48 2019 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
> Thu Mar 14 14:47:48 2019 TLS Error: TLS key negotiation failed to occur
> within 60 seconds (check your network connectivity)
That could be a firewall or routing issue.
--
Ralf Hi
or '185.200.118.0 - 185.200.118.255' is 'ab...@m247.ro'
https://www.m247.ro/en/
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 3
I found this:
https://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
an now I wonder if these recommendations (still) make sense.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https
* Lev Stipakov :
> To use Wintun driver instead of tap-window6, add "windows-driver wintun"
> to your VPN profile.
"VPN profile"? Do you mean "in the config file"?
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.source
he man page of the "normal" openvpn
doesn't list "windows-driver" -- so I was unsure if it's
a) windows-specific
b) 2.5-specific.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1.
if we could manage to get it into the
> 2.5 release.
I totally support this. Sopme of my users are having a hard time
installing the "normal" driver, so Wintun is a welcome alternative.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Camp
How can I easily redirect script stderr/stdout while in daemon mode?
I have a --auth-user-pass-verify script which (in some odd cases)
exits with exit status 255 and I cannot fathom why.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus
* Gert Doering :
> Hi,
>
> On Mon, Jan 27, 2020 at 04:40:10PM +0100, Ralf Hildebrandt wrote:
> > How can I easily redirect script stderr/stdout while in daemon mode?
> >
> > I have a --auth-user-pass-verify script which (in some odd cases)
> > exits with exit s
What are the current "state of the art" settings for cipher & auth?
My current gateway is using:
cipher AES-256-CBC
auth SHA256
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
authSHA256
dh none
ecdh-curve secp384r1
like on https://www.privacy-handbuch.de/handbuch_97a.htm ?
> And, if all your systems are 2.4+ and you do not change --ncp-disable or
> --ncp-ciphers, is what you get automatically anyway. :-)
Which they are not :( The
is a know issue -- could we get a recent version of openvpn with
a TAP32 driver that actually works on Win10? Or can we simply
recommend installing 2.4.7 instead (and hope the driver bundled is
9.23.3)?
It doesn't seem to happen with all Win10 installations, though.
--
Ralf Hildebran
Does the passtos option need to be set BOTH on the server and client?
If so, can I "push" the option to the client?
We're mostly using Windows (2.4.2 and up) & Mac Clients (Tunnelblick)
-- are their openvpn implementations handling this option at all?
Ralf
hat, it is hardly ever required to set
> it on a client, unless that client is forwarding traffic for a client-side
> lan
The idea was to use "--passtos" since we're using skypeforBusiness on
the clients.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsberei
> Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
> some of the affected computers? Or just the part of it which describes
> the failed tap-windows6 installation (rather easy to find).
Did that just now, along with some screenshots.
Ralf Hildebrand
* mich...@fritscher.net :
> Am 2020-03-30 17:14, schrieb Ralf Hildebrandt:
> > Did that just now, along with some screenshots.
>
> Which were scrubed from the mailinglist software it seems...
I sent them to him, not the list (as requested)
Ralf Hildebrandt
Charité - Universität
e setupapi.dev.log files from both of the
> machines if that would be helpful.
Definitely. I sent my copy to Samuli. I also have the setupapi.dev.log
after installation and after the installation of the alternative TAP32
driver. Maybe the diff can be helpful.
Ralf Hildebrandt
Charité - Un
ion signed
> > Authenticode = cross-signed
>
>
> Sorry, I don't know much about NSIS operation: is tap-windows6 driver
> included in the openvpn-install-2.4.8-i602-Win10.exe installer?
Blasphemic question: Why is a win7 driver included in
"openvpn-install-2.4.8-i
it work as a DHCP option?
You want a user to establish a VPN connection and the "use" the pushed
PROXY_AUTO_CONFIG_URL in his/her browser?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Ra
where a user can simply double click a
> ovpn extension file and it will prompt to load the configuration.
I do agree an "import on double click" would benefit the average
reading-impaired user (we have those, lots!)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsberei
* Dajka Tamás :
> Yes (given he/she can access the proxy through the VPN - the defgw is pushed
> also)
>
> PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos
> needed - standard format.
Same as here; I don't think th
as error "rendering their current installation
faulty/non working" - while it's working perfectly.
For over a year we're sending out config files which don't trigger the
warning, but people still use the old files - and a new Tunnelblick,
since (thank Lord!) it aut
s" [2], not plain .ovpn files, so that
> will be a problem if you distribute the same configuration file(s) for
> users of all platforms.
That is what we currently do, but if your method has advantages, we
can maybe generate MAC-Specific files.
Ralf Hildebrandt
Charité - Universitätsm
y in effect... Using 2.4.9-bionic0 from Ubuntu. And yes, the
process had been starded after the config change was made.
Could it be that this option is not working?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus
creative line numbers)?
The order or the key-direction / tls-auth statements in respect to the
blocks?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Ber
56-GCM
data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
auth SHA256
and the client config says:
cipher AES-256-CBC
auth SHA256
As far as I can see "auth SHA256" is used consistently.
So why does it report "auth [null-digest]"?
Ralf Hildebrandt
Charité - Uni
* Ralf Hildebrandt :
> As far as I can see "auth SHA256" is used consistently.
> So why does it report "auth [null-digest]"?
tl;dr: client and server negotiate a GCM (Galois/Counter Mode) cipher
(AES-GCM), and those ciphers includes a HMAC, thus the specified AU
used inconsistently (we talked about this)
link-mtu used inconsistenly (dunno what to do about this)
WARNING: 'cipher' is used inconsistently, but I have a more recent config for
that.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benja
> That said, these kinds of false warnings need to be fixed. The whole idea
> of warnings is to draw the user's attention to it and is predicated upon
> these being indications of possible misconfiguration.
Indeed :)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Gesch
ts to prevent MORE clients on machine 2?
I could return AUTH_FAILED, but that would irritate the users, since
their clients would ask for a (new) password.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I |
hought so.
> (Maybe I'm all wrong and there is a way to send RESTART from plugin
> or scripts, and I just don't know it yet)
That would rock.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I |
ot;, how can the client expect to resolve
".foo.bar.gov" at all?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 5
r other methods exist.
Ah, that makes it clear.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ral
nk...
It would totally disable DNS Caching, yes.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@ch
lients just fine
Even UDP clients?
> and limit amount of backend connections, haproxy can work if you don't need
> UDP
> traffic,
We're using UDP...
> LVS does not works as expected with UDP balancing.
That would have been my initial choice
Ralf Hildebrandt
Charité - U
:627548 t=1615815597[0] r=[-2,64,15,92,1] sl=[8,64,64,528]
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
> Use 2.5, which has asynchronous (deferred) client-connect scripts.
Are there any changes needed for that in the config / on the script
side of things?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1.
icate: 2048 bit
RSA, signature: RSA-SHA256
Right now I'm correlating using field #5 (IP:Port), but is there an easier way?
Is the TLS version in any environment variable so I can log it using a
client-connect or learn script?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäfts
I want to trasition from an old, internal CA (easyrsa) to a new,
internal CA (also easyrsa).
But how do I do this? Can I make openvpn accept client certificates
from two CAs (the old and the new one)?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
* Bo Berglund :
> On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt
> wrote:
>
> >But how do I do this? Can I make openvpn accept client certificates
> >from two CAs (the old and the new one)?
>
> Why using a new certificate?
I need a new CA due to the german
Error appeared.
Use https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hi
s more issues. E.g. it is unable to import configs with multiple
connection blocks.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hil
e GUI &
openvpn process?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
htt
ok at how other people do it...
Thanks for the quick response!
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@c
mitigate the fingerprinting, is it possible to prevent the details of
> IFACE and HWADDR from being transmitted to my VPN provider?
Are they REALLY transmitted to your VPN provider?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin
49786 peer info: IV_COMP_STUB=1
ip.add.re.ss:49786 peer info: IV_COMP_STUBv2=1
ip.add.re.ss:49786 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
ip.add.re.ss:49786 peer info: IV_SSO=openurl
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
C
provided by my VPN
> provider. As a connection is being made, many lines of text flash
> across the terminal. Please tell me if the lines of text that I see
> belong to the server's log?
No, that's your client's log.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berli
00:26 openvpn2019 udp[703]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Rau
your openssl
> library does NOT use hardware crypto.
10 times faster - thanks1
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebr
(read: ssh) sessions.
Are there tuning tips regarding this particular setup (or openvpnm on
virtualized hardware), of is virtualbox merely a poor choice :)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG
er environment, I'd suggest a
> type 1 hypervisor. ESXi 6.x Free is a good choice and I've run many
> OpenVPN installs on it with good results,
Thanks.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I
arite.de
port 1194
explicit-exit-notify
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA256
remote-cert-tls server
verify-x509-name "C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT,
CN=openvpn.charite.de, emailAddress=v...@charite.de" subject
remote-cert-eku "TLS Web Se
er options incompatible with DCO"
> or so. Arne?
We totally agree. Although the authentication went OK the user is
greeted with a "re-enter your password"
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin
ere: Does this matter? Is the tun0 interface taken down too
early? Should I even care?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30
e
> nobind
> persist-key
> persist-tun
> verb 4
> remote-cert-tls server
> ping 10
> ping-restart 60
> sndbuf 524288
> rcvbuf 524288
> cipher AES-256-CBC
> --disable-dco
Shouldn't "--disable-dco" rather be "disable-dco" when used inside
y. We were pushing
"compress" to 2.6 clients. But how can I check what the client is
willing to support?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30
1 - 100 of 128 matches
Mail list logo
