ing it like that
would work for however long that program would be around anyway.
I know all of the programs I wrote commercially have been superseded by
something else now, so it did not matter that I did it correctly. ;-)
Bonno Bloksma
file here as an attachment, it is only 4k.
-Oorspronkelijk bericht-
Van: Bonno Bloksma
Verzonden: woensdag 6 december 2023 17:29
Aan: openvpn users list (openvpn-users@lists.sourceforge.net)
Onderwerp: openvpn on QNAP
Hi,
I have been using my QNAP as my OpenVPN server for a while
nks that one got by me when I created a new server. :-(
> Of course, if everything is working as you have it, then "don't touch it" is
> a wise course.
Of course but then, if we know it is not the best config, why wait for it to go
wrong. ;-)
Bonno Bloksma
they looked good at what was missing from IPv4 and was
available in other protocols like IPX where you never did any configuration on
the client.
I have noticed that is the local dns server is properly configured everything
works by default.
Bonno Bloksma
Hi,
>> It's time to move from bullseye to bookworm. Based on the previous
>> years experience I've always preferred a fresh install vs. an
>> upgrade, since the freshly installed system always run smoother and
>> was not littered with any old junk left from the old system.
[]
>> Could
ink / ISP for that ip number.
It is no different from any other ip number, be it 10.x.x.x and 172.16.x.x or
192.168.1.x or some public ip number, the routing has to be correct.
The registrar for the ip number will not dictate what machine can use the ip
number nor what other ip number can be o
quot;requitement" when I was hosting my own mailserver and
spam/walware filter over 5 years ago.
Bonno Bloksma
ion, and none without.
[...]
> And it's definitely not the good solution but you could transfer the full
> zone (or get a copy of the file) and serve it as master.
Nah, I do not want to do that. Too many updates on the internal zone, I would
need to copy at least every 5 min. Also other reasons.
Bonno Bloksma
at toplevel .nl. (being the parent zone) tells that
any response from a tio.nl dns server should be a secure response. And
therefore bind does not accept it?
Where does bind store this info and can I overrule it?
Bonno Bloksma
9:25:45 linbobo named[554]: insecurity proof failed resolving
'tio.nl/NS/IN': 172.16.208.10#53
--
It is still weird. What else can we try? Is there something we can do to see
what it IS getting back so we can compare it with what it should be?
I even just now tried
--
linbobo:/var/cache/bind# service named stop
linbobo:/var/cache/bind# ll
total 3300
-rw-r--r-- 1 bind bind 821 Jun 1 09:16 managed-keys.bind
-rw-r--r-- 1 bind bind1856 Jun 1 09:16 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 3367966 May 8 11:37 named_dump.db
linbobo:/var/cache/bind# rm *
linbobo:/var/cache/bind# service named start
linbobo:/var/cache/bind# dig tio.nl NS
--
But still same result. :-(
Bonno Bloksma
Query time: 20 msec
;; SERVER: 172.16.208.10#53(172.16.208.10) ;; WHEN: Fri May 19 10:48:07 CEST
2023 ;; MSG SIZE rcvd: 816
Bonno Bloksma
y user that learned
something and that you were able to educate a few more users as well.
Bonno Bloksma
:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;einsccmdp-01.tio.nl. IN A
;; ANSWER SECTION:
einsccmdp-01.tio.nl.1200IN A 172.16.212.18
;; Query time: 12 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Mon May 08 11:42:37 CEST 2023
;; MSG SIZE rcvd: 64
Bonno Bloksma
ly the last 2 and see where
things go from there.
>From now on I am going to keep better track on the number of kernels on the
>system.
Bonno Bloksma
els.
I understand there are circumstances where not al modules assigned to a kernel
version are part of the kernel. But... would they be of any use when that
kernel version is no longer installed?
Bonno Bloksma
y;
forwarders {172.16.128.40; 172.16.208.10;};
};
zone "tio.test" IN {
type forward;
forward only;
forwarders {172.16.128.40; 172.16.208.10;};
---------
Why does it first go to the public dns and then run into the dnssec problem?
There is a direct definition for the tio.nl zone in my config file.
Bonno Bloksma
report the symptoms.
BTW I noticed this not only in my bullseye systems but also in my older busters
systems, The folders are just smaller and therefore it did not realy impact my
diskspace on / which is why I never noticed it.
Bonno Bloksma
cmdp-01.tio.nl/DS/IN': 172.16.128.40#53
May 2 11:24:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 2 11:24:27 linbobo named[574]: no valid RRSIG resolving
'einsccmdp-01.tio.nl/DS/IN': 172.16.208.10#53
May 2 11:24:27 linbobo named[574]: broken trust chain resolving
'einsccmdp-01.tio.nl/A/IN': 172.16.128.40#53
---
Bonno Bloksma
If I can delete it, is there a proper way to clean it up or do I just rm
/usr/lib/modules/5.10.0- for the older kernels?
Is this a BUG in Bullseye?
p.s. Looking at this I just noticed I need to do an update on lunutr, I will
dis that right after sending this mail ;-)
Met vriendelijke groet,
Bonno
ome?
I may be totally wrong but, as the first problems started when we switched to
dnssec on the external dns environment, it feels like that is related to the
validation lines I see.
Is there a solution?
Bonno Bloksma
ey provided.
That was something completely new, you never heard of it before, neither do I
though. ;-)
Bonno Bloksma
Package: d-i
Severity: minor
Dear Maintainer,
Testing with a new Debian bookworm install, downloaded apr 24 2023, I noticed
my nftables.conf firewall configuration never gets loaded.
After some testing a searching on the net I found it is disabled by default. As
the /etc/nftables.conf file
installs and enable the
firewall. It seems after I changed the iptables script to a nft config I have
been running my buster machines with a proper nft config that NEVER got loaded.
:-(
Bonno Bloksma
Hi Dan,
>> I thought I understood it all and as far as I know I have a working config.
>> But just trying to get a listing of the running config shows NOTHING.
>> linbookwormtest:~# nft list ruleset
>> linbookwormtest:~#
>
> That says that you have no firewall set up.
That was my conclusion as
go wrong by not understanding how it all connects.
If I install dhcp it comes with default config files. If I change them then
THAT config gets loaded.
If Debian does NOTHING with that nft config file then why is it there?
Is this a bug?
Bonno Bloksma
continue? It isn't even working on a clean install of Debian
bookworm with the default config file.
Bonno Bloksma
Hi,
[...]
> Now, if you add tls-auth or tls-crypt to the server (+client) config, even a
> correct "openvpn UDP initial handshake" packet will *not* make the server
> reply,
> unless you also have the right tls-auth/tls-crypt configured on the client
> side - which needs a (secret!) key to do
work.
I can rebuild a Debian machine quite fast and have it up and running with for
instance the DHCP service within the hour having all the correct config and
other stuff I want.
I would like to know for which systems I realy need to do this. ;-)
Bonno Bloksma
y extra charge as it is NORMAL
internet access.
Met vriendelijke groet,
Bonno Bloksma
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
nfigs manageable. ;-)
And an update. It seems this dhcp server is reacting to requests on the local
network even though there is no config to do so.
I see DHCPINFORM and DHCPACK lines for the local 10.0.1.0 network.
Why is that happening? Is it just parroting what the other authoritative dhcp
serv
locations. That helps
a lot with keeping the configs manageable. ;-)
Bonno Bloksma
n
machine before and have yet to read all the documentation as to how I can
install a perl script as an extention. Anyone who can help, please do so. What
do I need to focus on at first?
Bonno Bloksma
al and
on the internet then you might need a dns resolver in between that knows what
to resolve itself and what to forward to the "other network" dns server.
I have it set up that way on my home situation where any dns name company.org
gets sent to the company dn
to saturation at any given moment
in the day.
Bonno Bloksma
as the receiving server has
no problem with the discrepency in the ip number, hostname and PTR record.
Bonno Bloksma (mobile)
Op 4 jun. 2021 om 22:01 heeft Fermin Francisco het volgende
geschreven:
Hi!
My problems are two:
After I putted the push "redirect-gateway local def1" in server
n going on with what a mail server/client should accept and
try to interpret when the sender does not follow the proper rules.
Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder
e router, all devices connected to the switches.
I could have bought a bigger POE switch but I already had the other switch(es)
before I needed some POE ports.
Bonno Bloksma
set will load and all will be up and running again. I'd like to keep that
way of setting things up, it makes it easy to test a new set of rules and debug
typo's.
Bonno Bloksma
of
this machine?
Bonno Bloksma
ll exists, it is
empty, no 70-persistent-net file present.
See https://wiki.debian.org/NetworkInterfaceNames why and how to get another
set of predictable names like lan0 if you want that.
Bonno Bloksma
://wiki.debian.org/UEFI but that does not answer my questions above.
Bonno Bloksma
up and running for which there is a
separate file in interfaces.d/ ?
That file might then not even have a gateway statement if it used dhcp.
Bonno Bloksma
and
student.tio.nl for stuff that relates to the students.
But at one time it was the "official policy" to use .local for internal
stuff. It was even in documentation and course material in those days.
That was of course years before someone decided to use .local for mDns which
then led to the current confusion. :-(
Bonno Bloksma
to an executable, other than doing it one by one.
Bonno Bloksma
Hi David,
> Where would you use it? Why not just drop 12-hour times?
> I don't think I've ever formatted a 12-hour time on a computer (unless you
> want to count the example quoted below).
>
Yup, pretty much when we "send" time info to some when it is not life
foce-to-face using a 12-hour
nde versie.
Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder
tio
university of applied sciences
begijnenhof 8-12 / 5611 el eindhoven
t +31 (0)40-296 28 28
b.blok...@tio.nl / www.tio.nl
Helllo Celejar,
>> WPA2's (that's your conventional WiFi standard) secure configuration
>> is fiendishly difficult.
> I take your point, but "fiendishly difficult"? I think you're exaggerating.
I think so too, WPA2 has been around for a rather long time and all software
knows about it.
>> You
hat can break during a normal upgrade?
Bonno Bloksma
will the program become active to send the
mail to the smarthost?
Where can I find more info? It seems this might be my lightweight solution.
Using Google for ssmtp gives mostly links to secure smtp.
Bonno Bloksma
and does not get me much closer to what I want. :-(
Who can help me and point me to some relevant info?
Bonno Bloksma
SA_...) it works like
expected.
Now I have a crl file that is valid untill after my CA expires, that's long
enough. ;-)
Bonno Bloksma
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
ys $SA_EXPIRE -out "$CRL" -config "$KEY_CONFIG"
but that still generated a crl file for one month.
Bonno Bloksma
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
es, this is a static environment with currently just
3 links, so just a few keys/certs that will never change. I control all clients
so I could even just delete a key on the client if I don't want to use it
anymore.
Only when I suspect some foul play would I ever need to revoke a
Hi Paul,
> Updated from Stretch to Buster (non-free) the other day all went fine, just
> undertaken
>
> apt update && apt upgrade
>
> today and all seem to go fine, The process seems to be pretty painless for
> the most part.
I do hope you did
apt dist-upgrade
too. ;-)
Bonno Bloksma
ines like DHCPINFORM, DHCPACK, DHCPREQUEST,
DHCPOFFER, DHCPNAK, etc.
But of course I do want to have those regular log lines stored somewhere like
in a /var/log/dhcp/dhcpd.log file
So, how do I do that?
Bonno Bloksma
libntlm0 libpython2.7 mailutils mailutils-common mysql-common psmisc
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 9,530 kB of archives.
----
Bonno Bloksma
ult.nanorc file back into the /usr/share/nano dir. I
want it to be a system wide default as the current default is "a bit sparse" ;-)
I now better understand the logic why my default file got replaced. Still it
would have been better if there was some kind of warning but I understand the
logic and I can live with it. :-)
Thanks for the explanation
Bonno Bloksma
ere around. But that is just a bit of extra info and does not
mitigate this problem.
Bonno Bloksma
stopping and
starting the service does not go well if the interface definition and/or the
dhcpdX.conf config file is not correct.
I have not invested enough time, nor do I have the need, to find out exactly
what works and what does not.
Now after the reboot and a normal dhcpd.conf file for ipv4 all is well. :-)
Bonno Bloksma
Hi,
>On Thu, Sep 06, 2018 at 05:33:39PM +0000, Bonno Bloksma wrote:
>> Sep 06 17:47:42 linom1 isc-dhcp-server[1668]: Launching both IPv4 and IPv6
>> servers (please configure INTERFACES in /etc/default/isc-dhcp-server if
> Please edit the file above and place your network inte
p-server.service: Unit entered failed
state.
Sep 06 17:47:42 linom1 systemd[1]: isc-dhcp-server.service: Failed with result
'exit-code'.
lines 1-17/17 (END)
Who can help me?
Bonno Bloksma
tems a long time ago with
email, why go back to something like that?
Bonno Bloksma
ncy in the kernel module itself but more everything
else that is dependent on it. Ok now I understand the reason for dist-upgrade.
In my mind I could find anything the kernel was dependent on so why would it be
held back due to a dependency issue
Bonno Bloksma
do the apt-get install ?
I have this "problem" on at least 2 Wheezy machines. One I cannot upgrade to
Lenny. Which is the reason I have at least one other (not critical) machine
also at Wheezy so I can compare and test.
Bonno Bloksma
the quicksupport download they will allways have the new version.
Bonno Bloksma
e did not work.
But could you clear up whether the supersede still works if properly listed in
/etc/dhcp/dhclient.conf ?
Bonno Bloksma
DHCPDISCOVER from 58:c5:cb:58:8a:a9
(android-a4a8b22c312e06c0) via 172.16.212.1
Aug 30 12:20:35 linein dhcpd: DHCPDISCOVER from 04:4b:ed:6f:2a:e6 via
172.16.212.1
Bonno Bloksma
n the config my DHCP server stopped and did not come up until I
fixed the typo and (re)started the service. Which took a while as I got
disturbed and the change was not urgent and I assumed the service was still
running :-(
Is there any way to get the old functionality back?
Bonno Bloksma
6_02_0020.swi to
172.16.32.15:12554
Aug 15 14:50:51 linein atftpd[496]: recvmsg: Message too long
Aug 15 14:50:51 linein atftpd[496]: tftpd_file.c: 958: recvfrom: Message too
long
===
Met vriendelijke groet,
Bonno Bloksma
ible right now to understand
what is going on.
Bonno Bloksma
t a screen for
the config but I never got that.
So how do I configure this program? I want to run it as a service
Bonno Bloksma
log/openvpn-user.log {
rotate 12
monthly
copytruncate
compress
missingok
notifempty
}
Is this still the best way to do it?
Using OpenVPN Version: 2.3.4-5+deb8u2 on Debian
Bonno Bloksma
--
Check out the vibrant t
but I have not really found it to speed up the boot
process when using a SSD to boot from.
Bonno Bloksma
and
will fail if that no longer exists.
Bonno Bloksma
t might not respond to a
recurvice query.
AFAIK iptables has nothing to do with this. You cannot block dns requests at
the iptables level as it cannot distinguish between a request for your own
domain, to which BIND should respond, and a recursive request for another
domain, which BIND should ignore.
Bonno Bloksma
ay if there are any upgrades to be apllied
5 5 * * 0 root /usr/local/bin/upgradereport.sh
It does run as root but then why shouldn't it?
Add the -V switch to the apt-get upgrade line to see from which version to
which version the upgrade is needed.
I just do not need that in my mail, I'll see that when I perform the upgrade.
Bonno Bloksma
rt the GUI want to connect right after that.
I assume this would only autoconnect if there was only 1 config to use,
otherwise the software might launch the wrong VPN.
Bonno Bloksma
--
Hi,
>On Tue, Nov 29, 2016 at 11:10:11AM +0100, Vincent Truchseß wrote:
>> Since upgrading to stretch my system keeps hanging on shutdown with
>> only a cursor visible, but no output. tty0 still shows output from the
>> previous boot.
>>
>> There is no error-message, but SysRq-Keys still work.
Hi,
>On Monday 17 October 2016 20:32:54 Richard Owlett wrote:
>> So I'm looking to near future when >= 128 GB flash drives available.
>
> They already are, and larger. See e.g.
>
> http://www.novatech.co.uk/products/components/memory-usb/usb3.0/muf-128bbeu.html
> and
>
xceeded. So, any length of cable *as long as it certifies as CAT5e/6/6A*
> will work for gigabit ethernet.
>
> In practice, you'll find good CAT6 1m patch cables readly available, I've
> never seen anyone bother selling anything shorter than that, but YMMV.
For switch to switch connections I use Cat6 0,5m cables a lot, that is just
under 2ft.
Bonno Bloksma
than just having multiple ip addresses in the
same network on the same interface.
What are you trying to achieve?
Bonno Bloksma
the KEY_SIZE, run
build-dh and then set it back to what I have?
3) Is there any use in creating an even bigger dh file, lets say a 8192 bit
version?
Bonno Bloksma
--
___
Openvpn
24 but can't see other clients in
> 192.168.2.0/24. And so for all clients.
This looks to be impossible. The whole idea of having 1 network segment is that
members can communicate directly over layer 2 without ant router/firewall in
between.
Bonno Bloksma
probably edit the 70-* udev file to create my familiar ethX
names.
> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550240
> [1]
> https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
Bonno Bloksma
?
Bonno Bloksma
ow?
>
> Would you rather the upgrade came to a halt because of some relatively minor
> issue?
Yes and no, according to apt-get it was a minor issue of a mandb update, the
roor cause was a majot issue.
>
> apt-get --reinstall install openssh-server
>
> could be run after space is freed up.
I did it by running the dpkg line, same end result I guess.
Thank for the explanation and help fixing it.
Bonno Bloksma
ge for ssh or something like that?
After cleaning up I did another apt-get upgrade but it reported nothing to do.
So if it failed to update some files why did it complete anyhow?
Bonno Bloksma
The complete log in case it is needed:
Log started: 2016-04-20 08:18:15
(Reading database ... ^M [.] Readin
penVPN is another one.
Unless you really want to debug why, Just create a script that does a service
network restart first and then a service openvpn restart
Bonno Bloksma
outing lines you added that depend on an ip-address
being reachable.
Other services / settings may need to be restarted as well.
Bonno Bloksma
are getting bigger / better WiFi transmitters as well and
THEN bother you? ;-)
It is best to adhere to "researched best practices" I think.
Bonno Bloksma
because of the
lower reach the chance of interference is lower as well. However, because of
that you might need more transmitters as well.
Bonno Bloksma
t;
Should there not also be a link to the old Squeeze to Wheezy upgrade
instructions?
There were several gotcha's if I remember.
Bonno Bloksma
er what I used as search
keys(s) but my first 4-5 hits did not provide an answer, which is why I asked.
Thanks for your pointers as well.
Bonno Bloksma
to the user
token at login. Changes in group membership have no effect untill the user logs
in again.
Bonno Bloksma
;1
# Stap 2: toon de upgrades
apt-get --dry-run upgrade | grep Inst > $TMPFILE
if egrep -q ^Inst $TMPFILE
then
mail -s "$SUBJECT" $MAILREC < $TMPFILE
fi
rm $TMPFILE
Met vriendelijke groet,
Bonno Bloksma
senior systeembeheerder
Sniffer on a
Windows platform.
With kind regards,
Bonno Bloksma
system manager
tio
university of applied sciences
julianalaan 9 / 7553 ab hengelo / the netherlands
t +31 (0)74-255 06 10
b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/>
Follow us on T
014 as the last time something was actively done.
Even the documentation lists nothing after 2014 and still talks about special
settings for the (local) dns server on a Windows 2013 server.
With kind regards,
Bonno Bloksma
system manager
tio
university of applied sciences
julianalaan
of ISC DHCP server: dhcpd is running.
Please fix the package in Squeeze-lts so I can have the dhcpd.conf file in its
proper place.
Bonno Bloksma
A few months ago we switched to Palo Alto firewalls which inspect the traffic
and filter on that. I can now filter on for instance allow facebook traffic but
deny facebook games. That level of filtering is "a bit
still accept all established and
related traffic.
But the second line from Jan
$IPTABLES -A FORWARD -o tun+ -j ACCEPT
Covers that a bit more explicitly.
This is my basic firewall rule set for a "simple" Linux box acting sometimes as
a router if no additional filters are neede
1 - 100 of 717 matches
Mail list logo
