Re: [gentoo-user] openvpn experience, anyone?

[n952162]

On 9/18/22 14:23, William Kenworthy wrote:


On 18/9/22 16:26, n952162 wrote:


On 9/18/22 09:52, William Kenworthy wrote:


On 18/9/22 15:26, n952162 wrote:

Hello all,

I want to ssh over my openvpn connection, and I can't do it, the
connection times out.

I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and
thought maybe somebody here  knows something about this.

Earlier my institution recommended openconnect, and I was able to use
ssh to login in to a host with no problem.

Then, for some reason (licensing?), we were switched to openvpn, which
works for xfreerdp but not for ssh.

I don't have control over the institution's firewall (but I do have
for
the host itself)

Perhaps when installing the new service, they tightened up the
firewall
rules.  But maybe there's a configuration screw I can turn, or ...
maybe
a USE flag?

- - down-root : Enable the down-root plugin
 - - examples  : Install examples, usually source code
 - - inotify   : Enable inotify filesystem monitoring support
 - - iproute2  : Enabled iproute2 support instead of net-tools
 + + lz4   : Enable support for lz4 compression (as implemented in
app-arch/lz4)
 + + lzo   : Enable support for lzo compression
 - - mbedtls   : Use mbed TLS as the backend crypto library
 + + openssl   : Use OpenSSL as the backend crypto library
 + + pam   : Add support for PAM (Pluggable Authentication
Modules)
- DANGEROUS to
 arbitrarily flip
 - - pkcs11    : Enable PKCS#11 smartcard support
 + + plugins   : Enable the OpenVPN plugin system
 - - systemd   : Enable use of systemd-specific libraries and features
like socket
 activation or session tracking
 - - test  : Enable dependencies and/or preparations necessary to
run tests
 (usually controlled by FEATURES=test but can be
toggled independently)

TIA



ssh and openvpn work well together.  However I am doing most of the
work using my own configs - gentoo tries to be too clever with its vpn
networking and Ive never been able to get it to work
reliably/acceptably.  On some sites I have to use port 443 (https) to
get through, and in extreme cases double wrap in ssl (using a mix of
proxytunnel (windows host), stunnel and sslh) to disguise its a vpn
but still separate it from regular https traffic on my firewall.  You
will need to figure out where the ssh is getting blocked/stripped out
- is openvpn your endpoint or theirs?

BillK





I don't understand that question: "is openvpn your endpoint or theirs" -
don't both sides have an endpoint on the tunnel?

That would have been a class idea, using the https port ...
unfortunately, there's a web server running on that machine... it's not
being used, however ... hmmm.

Wow: "in extreme cases double wrap in ssl (using a mix of proxytunnel
(windows host), stunnel and sslh) to disguise its a vpn but still
separate it from regular https traffic on my firewall." - sounds totally
cool, except I have no idea what it means... which concept should I
start with?

- proxytunnel

- sslh

- double wrapping in ssl


1. Do you have control over both openvpn endpoints?  Typically in a
roadwarrior setup the company IT dept owns one and you don't get
access to it which can make it very difficult to see whats going on -
if you can access the configs of both ends its much easier. The
firewall you mention might be dropping ssh packets exiting the tunnel
if its hosting an endpoint that is subject to the firewall?  Routing
multiple hops past the vpn endpoint can be another issue with openvpn.



Ah, now I have a  better understanding of the question - yes,
unfortunately, the vpn goes to the institution's intranet.  I control
the client and the host, and the link to the institution, but the remote
endpoint of the tunnel is not in my control.




2. SSL packets have identifiers in the headers that indicate the type
of traffic within - sslh is a multiplexor that detects openvpn,
openssl, openssh etc. via the ssl packet headers (does not need to see
into the encryption to do this) and redirects the packets to different
hosts/ports as applicable - e.g, ssl web traffic to your web server
and openvpn ssl to to the vpn concentrator even though it all comes in
as ssl on port 443.



Okay, that gets me a lot closer.   Thank you.



3a. Before retiring I was working within various seriously locked down
networks and needed to reach my own home server - some of the
commercial firewalls are able to break and examine ssl streams, or
identify it was openvpn on port 443 and block it.  If you are using a
commercial certificate with openvpn this may be happening.

3b. If you own/host both ends of the vpn tunnel on your own machines,
use the end-to-end encryption options, and a private certificate. By
feeding the openvpn ssl stream through something like proxytunnel you
are encrypting the stream a second time with https characteristics
which gets around this to some degree (if they do bother break out the
ssl, they are 

Re: [gentoo-user] openvpn experience, anyone?

[Grant Taylor]

On 9/18/22 1:26 AM, n952162 wrote:
I want to ssh over my openvpn connection, and I can't do it, the 
connection times out.


IMHO the first, second, and third thing to try when OpenSSH clients fail 
for some reason is `-v`, `-v -v`, and `-v -v -v` in your ssh command(s).


That will almost always give you some sort of indication of the next 
place to start looking.


That being said, -- assuming routing is good -- I would also question an 
MTU issue.  The symptoms of this are OpenSSH establishes the TCP 
connection that carries the data and starts negotiating the SSH protocol 
but fails part way through and starts timing out when big packets are 
sent but never make it to the other end.


As Michael alluded to, trying to SSH from the local gateway to the 
remote gateway can be a little tricky to configure as there can be a 
couple of source IPs (local inside & local outside) as well as a couple 
of destination IPs (remote outside & remote inside).  Tunnels usually 
cover local inside communicating with remote inside but fail to account 
for any outside addresses.  --  N.B. this can usually be addressed with 
a judicious route statement that specifies which source address to use.




--
Grant. . . .
unix || die

Re: [gentoo-user] openvpn experience, anyone?

[Michael Orlitzky]

On Sun, 2022-09-18 at 09:26 +0200, n952162 wrote:
> 
> Then, for some reason (licensing?), we were switched to openvpn, which
> works for xfreerdp but not for ssh.
> 
> I don't have control over the institution's firewall (but I do have for
> the host itself)
> 

Is the machine that you're trying to SSH into also on the VPN? If so,
it may have a firewall rule like "allow SSH from the LAN" but be
missing a rule that says "allow SSH from the VPN interface."

Re: [gentoo-user] openvpn experience, anyone?

[n952162]

On 9/18/22 11:08, Michael wrote:

On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote:

On 18/9/22 15:26, n952162 wrote:

Hello all,

I want to ssh over my openvpn connection, and I can't do it, the
connection times out.

I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and
thought maybe somebody here  knows something about this.

Earlier my institution recommended openconnect, and I was able to use
ssh to login in to a host with no problem.

Then, for some reason (licensing?), we were switched to openvpn, which
works for xfreerdp but not for ssh.

I don't have control over the institution's firewall (but I do have for
the host itself)

Perhaps when installing the new service, they tightened up the firewall
rules.  But maybe there's a configuration screw I can turn, or ... maybe
a USE flag?

- - down-root : Enable the down-root plugin
  - - examples  : Install examples, usually source code
  - - inotify   : Enable inotify filesystem monitoring support
  - - iproute2  : Enabled iproute2 support instead of net-tools
  + + lz4   : Enable support for lz4 compression (as implemented in
app-arch/lz4)
  + + lzo   : Enable support for lzo compression
  - - mbedtls   : Use mbed TLS as the backend crypto library
  + + openssl   : Use OpenSSL as the backend crypto library
  + + pam   : Add support for PAM (Pluggable Authentication Modules)
- DANGEROUS to
  arbitrarily flip
  - - pkcs11: Enable PKCS#11 smartcard support
  + + plugins   : Enable the OpenVPN plugin system
  - - systemd   : Enable use of systemd-specific libraries and features
like socket
  activation or session tracking
  - - test  : Enable dependencies and/or preparations necessary to
run tests
  (usually controlled by FEATURES=test but can be
toggled independently)

TIA

ssh and openvpn work well together.  However I am doing most of the work
using my own configs - gentoo tries to be too clever with its vpn
networking and Ive never been able to get it to work
reliably/acceptably.  On some sites I have to use port 443 (https) to
get through, and in extreme cases double wrap in ssl (using a mix of
proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but
still separate it from regular https traffic on my firewall.  You will
need to figure out where the ssh is getting blocked/stripped out - is
openvpn your endpoint or theirs?

BillK

Could it also be an issue with MTU being too large?  It should be easy to test
with:

ping -c 1 -v -M do -s 1464 

and decrease the packet size until gets through.  Then configure your client
accordingly:

https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem



That was a good idea!  Unfortunately, in this case it wasn't the cause:

   -- ping  statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 331.754/331.754/331.754/0.000 ms

Re: [gentoo-user] openvpn experience, anyone?

[Michael]

On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote:
> On 18/9/22 15:26, n952162 wrote:
> > Hello all,
> > 
> > I want to ssh over my openvpn connection, and I can't do it, the
> > connection times out.
> > 
> > I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and
> > thought maybe somebody here  knows something about this.
> > 
> > Earlier my institution recommended openconnect, and I was able to use
> > ssh to login in to a host with no problem.
> > 
> > Then, for some reason (licensing?), we were switched to openvpn, which
> > works for xfreerdp but not for ssh.
> > 
> > I don't have control over the institution's firewall (but I do have for
> > the host itself)
> > 
> > Perhaps when installing the new service, they tightened up the firewall
> > rules.  But maybe there's a configuration screw I can turn, or ... maybe
> > a USE flag?
> > 
> > - - down-root : Enable the down-root plugin
> >  - - examples  : Install examples, usually source code
> >  - - inotify   : Enable inotify filesystem monitoring support
> >  - - iproute2  : Enabled iproute2 support instead of net-tools
> >  + + lz4   : Enable support for lz4 compression (as implemented in
> > app-arch/lz4)
> >  + + lzo   : Enable support for lzo compression
> >  - - mbedtls   : Use mbed TLS as the backend crypto library
> >  + + openssl   : Use OpenSSL as the backend crypto library
> >  + + pam   : Add support for PAM (Pluggable Authentication Modules)
> > - DANGEROUS to
> >  arbitrarily flip
> >  - - pkcs11: Enable PKCS#11 smartcard support
> >  + + plugins   : Enable the OpenVPN plugin system
> >  - - systemd   : Enable use of systemd-specific libraries and features
> > like socket
> >  activation or session tracking
> >  - - test  : Enable dependencies and/or preparations necessary to
> > run tests
> >  (usually controlled by FEATURES=test but can be
> > toggled independently)
> > 
> > TIA
> 
> ssh and openvpn work well together.  However I am doing most of the work
> using my own configs - gentoo tries to be too clever with its vpn
> networking and Ive never been able to get it to work
> reliably/acceptably.  On some sites I have to use port 443 (https) to
> get through, and in extreme cases double wrap in ssl (using a mix of
> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but
> still separate it from regular https traffic on my firewall.  You will
> need to figure out where the ssh is getting blocked/stripped out - is
> openvpn your endpoint or theirs?
> 
> BillK

Could it also be an issue with MTU being too large?  It should be easy to test 
with:

ping -c 1 -v -M do -s 1464 

and decrease the packet size until gets through.  Then configure your client 
accordingly:

https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem



signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openvpn experience, anyone?

[William Kenworthy]

On 18/9/22 15:26, n952162 wrote:

Hello all,

I want to ssh over my openvpn connection, and I can't do it, the
connection times out.

I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and
thought maybe somebody here  knows something about this.

Earlier my institution recommended openconnect, and I was able to use
ssh to login in to a host with no problem.

Then, for some reason (licensing?), we were switched to openvpn, which
works for xfreerdp but not for ssh.

I don't have control over the institution's firewall (but I do have for
the host itself)

Perhaps when installing the new service, they tightened up the firewall
rules.  But maybe there's a configuration screw I can turn, or ... maybe
a USE flag?

- - down-root : Enable the down-root plugin
 - - examples  : Install examples, usually source code
 - - inotify   : Enable inotify filesystem monitoring support
 - - iproute2  : Enabled iproute2 support instead of net-tools
 + + lz4   : Enable support for lz4 compression (as implemented in
app-arch/lz4)
 + + lzo   : Enable support for lzo compression
 - - mbedtls   : Use mbed TLS as the backend crypto library
 + + openssl   : Use OpenSSL as the backend crypto library
 + + pam   : Add support for PAM (Pluggable Authentication Modules)
- DANGEROUS to
 arbitrarily flip
 - - pkcs11    : Enable PKCS#11 smartcard support
 + + plugins   : Enable the OpenVPN plugin system
 - - systemd   : Enable use of systemd-specific libraries and features
like socket
 activation or session tracking
 - - test  : Enable dependencies and/or preparations necessary to
run tests
 (usually controlled by FEATURES=test but can be
toggled independently)

TIA


ssh and openvpn work well together.  However I am doing most of the work 
using my own configs - gentoo tries to be too clever with its vpn 
networking and Ive never been able to get it to work 
reliably/acceptably.  On some sites I have to use port 443 (https) to 
get through, and in extreme cases double wrap in ssl (using a mix of 
proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but 
still separate it from regular https traffic on my firewall.  You will 
need to figure out where the ssh is getting blocked/stripped out - is 
openvpn your endpoint or theirs?


BillK

Re: [gentoo-user] OpenVPN - error

[Roger Welsh]

Hi Thelma,

I think you need 
tls-server 
And 
tls-client 
In your respective configs below.

Reference:
https://askubuntu.com/questions/594868/openvpn-hmac-authentication-failure-no-matter-what-i-do

And
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ 
Grep for tls-server.


On 22 February 2020 11:08:02 PM NZDT, the...@sys-concept.com wrote:
>When I try to start openVPN on a client I see this error on a server:
>
>Sat Feb 22 02:32:10 2020 Authenticate/Decrypt packet error: packet HMAC
>authentication failed
>Sat Feb 22 02:32:10 2020 TLS Error: incoming packet authentication
>failed from [AF_INET]
>
>cat server.conf 
>proto udp
>port 9000
>dev tun
>mode server
>ca /etc/openvpn/cert/ca.crt
>cert /etc/openvpn/cert/clinic_atom.crt
>key /etc/openvpn/cert/clinic_atom.key
>dh /etc/openvpn/cert/dh.pem
>topology subnet
>server 192.168.141.0 255.255.255.0 
>client-to-client
>ifconfig-pool-persist ipp.txt
>client-config-dir ccd
>keepalive 10 120
>tls-auth vpn_clinic.key 0
>tun-mtu 1500
>tun-mtu-extra 32
>mssfix 1200
>duplicate-cn
>comp-lzo
>max-clients 100
>persist-key
>persist-tun
>status openvpn-status.log
>log /var/log/openvpn.log
>log-append /var/log/openvpn.log
>verb 3
>
>On client-config:
>clinic_atom.conf 
>client
>dev tun
>proto udp
>port 9070
>topology subnet
>remote xxx.xx.xx.xx 9070 # static IP
>resolv-retry infinite
>tun-mtu 1500
>tun-mtu-extra 32
>mssfix 1200
>persist-key
>persist-tun
>remote-cert-tls server
>ca "/etc/openvpn/clinic_atom/ca.crt"
>cert "/etc/openvpn/clinic_atom/syscon7.crt"
>key "/etc/openvpn/clinic_atom/syscon7.key"
>tls-auth "/etc/openvpn/clinic_atom/ta.key" 1
>comp-lzo
>log /var/log/openvpn.log
>log-append /var/log/openvpn.log 
>verb 3
>
>-- 
>Thelma

--
Kind regards,

Roger

Re: [gentoo-user] openvpn rc script dependencies

[J. Roeleveld]

On Tuesday, April 10, 2018 1:25:42 PM CEST Simon Thelen wrote:
> On 18-04-10 at 10:55, Christoph Böhmwalder wrote:
> > I was wondering how the OpenRC dependencies between start scripts work.
> > 
> > Basically, I have two network interfaces on my laptop (wlp3s0 and
> > enp0s20u2u3 for wireless and ethernet respectively).  When I start the
> > wireless interface service (rc-service net.wlp3s0 start) the OpenVPN
> > service starts and vice versa.  That's great, but I didn't configure
> > that anywhere.
> 
> What does your /etc/runlevels/ look like? Is the openvpn service in one
> of the runlevels? Are either of your network interfaces in one of the
> runlevels?
> 
> > What's even worse is that when I'm not connected via WiFi (i.e.
> 
> > ethernet), the VPN service won't start because net.wlp3s0 isn't started:
> [..]
> 
> > Why would it do that, can I configure this anywhere?
> 
> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.

There is. You have (at least) 2 other options:

1) In the "/etc/conf.d" files (as I tend to do):
# grep need /etc/conf.d/postgresql-9.5
rc_need="netmount"
(This means, postgresql-9.5 needs the 'netmount' service to have started first)

# grep need /etc/conf.d/netmount 
rc_need="net iscsid"
(This means, netmount needs 'net' and 'iscsid' started first)

2) /etc/rc.conf
See the following section in the default version:
===
# It's possible to define extra dependencies for services like so
#rc_config="/etc/foo"
#rc_need="openvpn"
#rc_use="net.eth0"
#rc_after="clock"
#rc_before="local"
#rc_provide="!net"
===

--
Joost

Re: [gentoo-user] openvpn rc script dependencies

[Mick]

On Tuesday, 10 April 2018 14:59:39 BST Christoph Böhmwalder wrote:
> On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote:
> > What does your /etc/runlevels/ look like? Is the openvpn service in one
> > of the runlevels? Are either of your network interfaces in one of the
> > runlevels?
> 
> Looking at `rc-status -a`, the openvpn service and the wifi interface
> are both in runlevel default (which is kind of intentional).  The wired
> interface is in runlevel manual (I don't use it that often, so that's
> fine).
> 
> The thing is, I want to:
> * Start the wifi service at boot
> * Start the openvpn service when _any_ network connection is active
> 
> > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> > there were a way to modify require/provides without having to edit the
> > init scripts themselves.
> 
> Unfortunately I can't test this anymore, but looking at the
> documentation this _should_ work.
> 
> Thanks!
> 
> --
> Regards,
> Christoph

I recall noticing a somewhat similar behaviour with the ipsec service of 
strongswan.  In particular, it would complain that the wired interface was not 
up and therefore ipsec would not start until then.  The wireless interface 
itself being up was not enough to start ipsec.  I used to start it up manually 
from the command line.  I didn't look into it back then.  I wonder if it was 
also something to do with the configuration of the start up script of ipsec.

PS. I had commented out #rc_depend_strict="YES" in /etc/rc.conf and set 
rc_hotplug="*", but did not experiment further with these settings at the 
time.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openvpn rc script dependencies

[Christoph Böhmwalder]

On Tue, Apr 10, 2018 at 09:28:10AM -0400, Michael Orlitzky wrote:
> This is half the problem, but the OpenVPN init script probably shouldn't
> have "need net" in its depend() function to begin with. It runs fine
> with only the loopback interface up.

That's exactly why I got confused.  Shouldn't it be possible to just
"tie" openvpn to _any_ network interface?  It's especially weird how it
just magically defaults to the wifi interface (it is in runlevel
default, but still).  Very unclear imo.

> You could try to file a bug for that with
> 
>   https://github.com/OpenRC/openrc/blob/master/service-script-guide.md
> 
> as a reference. There's a section titled "Be wary of 'need net'
> dependencies" that covers the issue.

That does look like it addresses the issue.  I'll try and poke around
in there.

Thanks!

--
Regards,
Christoph

Re: [gentoo-user] openvpn rc script dependencies

[Christoph Böhmwalder]

On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote:
> What does your /etc/runlevels/ look like? Is the openvpn service in one
> of the runlevels? Are either of your network interfaces in one of the
> runlevels?

Looking at `rc-status -a`, the openvpn service and the wifi interface
are both in runlevel default (which is kind of intentional).  The wired
interface is in runlevel manual (I don't use it that often, so that's
fine).

The thing is, I want to:
* Start the wifi service at boot
* Start the openvpn service when _any_ network connection is active

> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.

Unfortunately I can't test this anymore, but looking at the
documentation this _should_ work.

Thanks!

--
Regards,
Christoph

Re: [gentoo-user] openvpn rc script dependencies

[Michael Orlitzky]

On 04/10/2018 07:25 AM, Simon Thelen wrote:
> 
> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.
> 

This is half the problem, but the OpenVPN init script probably shouldn't
have "need net" in its depend() function to begin with. It runs fine
with only the loopback interface up.

You could try to file a bug for that with

  https://github.com/OpenRC/openrc/blob/master/service-script-guide.md

as a reference. There's a section titled "Be wary of 'need net'
dependencies" that covers the issue.

Re: [gentoo-user] openvpn rc script dependencies

[Simon Thelen]

On 18-04-10 at 10:55, Christoph Böhmwalder wrote:
> I was wondering how the OpenRC dependencies between start scripts work.
> 
> Basically, I have two network interfaces on my laptop (wlp3s0 and
> enp0s20u2u3 for wireless and ethernet respectively).  When I start the
> wireless interface service (rc-service net.wlp3s0 start) the OpenVPN
> service starts and vice versa.  That's great, but I didn't configure
> that anywhere.
What does your /etc/runlevels/ look like? Is the openvpn service in one
of the runlevels? Are either of your network interfaces in one of the
runlevels?

> What's even worse is that when I'm not connected via WiFi (i.e.
> ethernet), the VPN service won't start because net.wlp3s0 isn't started:
[..]
> Why would it do that, can I configure this anywhere?
Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
there were a way to modify require/provides without having to edit the
init scripts themselves.


-- 
Simon Thelen

Re: [gentoo-user] openvpn client IP address

[thelma]

On 01/18/2018 07:15 AM, Michael Orlitzky wrote:
> On 01/17/2018 09:51 PM, the...@sys-concept.com wrote:
>> How openvpn client obtains IP address from the server?
>>
>> On the sever in server.conf I had:
>> server 192.168.139.0 255.255.255.0
>> route 10.0.0.0  255.255.255.0 192.168.139.7
>>
>> On server in ccd/ I had client.file:
>> ifconfig-push 192.168.139.3 255.255.255.0
> 
> Two things to check:
> 
> First, the client configuration directory needs to be specified in the
> server configuration file with the "client-config-dir" directive. In
> your case, it looks like you need
> 
>   client-config-dir ccd
> 
> but try an absolute path if that doesn't work for you.
> 
> The second is the naming convention for the client configuration files
> themselves. The files in "ccd" need to match the common names on the
> certificates of your clients exactly, IIRC. So instead of "client.file",
> you probably want just "client".

Thanks for reply.
I've already figure it out.  The configuration file in ccd/ directory on
a server is linked to a key generated for the client during setup on
server:
./easyrsa build-client-full syscon7 nopass   (this is client key pair)

So the file in ccd/ (on server) has to be called "syscon7" and the
client computer will take IP from this file (that you assign).

Joseph

Re: [gentoo-user] openvpn client IP address

[Michael Orlitzky]

On 01/17/2018 09:51 PM, the...@sys-concept.com wrote:
> How openvpn client obtains IP address from the server?
> 
> On the sever in server.conf I had:
> server 192.168.139.0 255.255.255.0
> route 10.0.0.0  255.255.255.0 192.168.139.7
> 
> On server in ccd/ I had client.file:
> ifconfig-push 192.168.139.3 255.255.255.0

Two things to check:

First, the client configuration directory needs to be specified in the
server configuration file with the "client-config-dir" directive. In
your case, it looks like you need

  client-config-dir ccd

but try an absolute path if that doesn't work for you.

The second is the naming convention for the client configuration files
themselves. The files in "ccd" need to match the common names on the
certificates of your clients exactly, IIRC. So instead of "client.file",
you probably want just "client".

Re: [gentoo-user] openVPN

[Mick]

On Monday 06 Feb 2017 23:14:39 the...@sys-concept.com wrote:
> On 02/06/2017 10:37 PM, the...@sys-concept.com wrote:
> [snip]
> 
> > but I'm getting an error below:
> > 
> > ./easyrsa build-client-full syscon_home nopass
> > NOTE: If you run ./clean-all, I will be doing a rm -rf on
> > /usr/share/easy-rsa/keys
> > 
> > Note: using Easy-RSA configuration from: ./vars
> > 
> > Easy-RSA error:
> > 
> > Missing expected CA file: serial (perhaps you need to run build-ca?)
> > Run without commands for usage and command help.
> 
> I think in order to build it I need to run:
> 
> ./easyrsa build-ca nopass
> ./easyrsa gen-req clinic_8amd nopass
> ./easyrsa sign-req server clinic_8amd nopass
> ./easyrsa gen-dh
> ./easyrsa build-client-full home1 nopass
> 
> But I'm stuck now with:
> openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key
> 
> Mon Feb  6 23:13:20 2017 Cannot open shared secret file
> '/root/easy-rsa-example/pki/ta.key' for write: No such file or directory
> (errno=2) Mon Feb  6 23:13:20 2017 Exiting due to fatal error
> 
> There is no such file "ta.key"
> 
> --
> Thelma

Have you created the desired directory, e.g. /root/easy-rsa-example/pki/ 
before you feed this path in the CLI above?
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openVPN

[thelma]

On 02/06/2017 10:37 PM, the...@sys-concept.com wrote:
[snip]
> but I'm getting an error below: 
> 
> ./easyrsa build-client-full syscon_home nopass
> NOTE: If you run ./clean-all, I will be doing a rm -rf on 
> /usr/share/easy-rsa/keys
> 
> Note: using Easy-RSA configuration from: ./vars
> 
> Easy-RSA error:
> 
> Missing expected CA file: serial (perhaps you need to run build-ca?)
> Run without commands for usage and command help.

I think in order to build it I need to run:

./easyrsa build-ca nopass
./easyrsa gen-req clinic_8amd nopass
./easyrsa sign-req server clinic_8amd nopass
./easyrsa gen-dh
./easyrsa build-client-full home1 nopass

But I'm stuck now with: 
openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key

Mon Feb  6 23:13:20 2017 Cannot open shared secret file 
'/root/easy-rsa-example/pki/ta.key' for write: No such file or directory 
(errno=2)
Mon Feb  6 23:13:20 2017 Exiting due to fatal error

There is no such file "ta.key"

--
Thelma

Re: [gentoo-user] openVPN

[thelma]

On 02/06/2017 08:23 PM, Michael Orlitzky wrote:
> On 02/06/2017 09:53 PM, the...@sys-concept.com wrote:
>> I'm trying to configure "openvpn" on my new box (have done it in the
>> past - long time ago).
>>
>> Trying to follow some basic instruction but when I change to:
>> cd /usr/share/easy-rsa/
>>
>> and try to run: ./build-ca
>> bash: ./build-ca: No such file or directory
>>
> 
> You want: ./easy-rsa build-ca
> 
> It's all in one script one.

It seems to me they have change a lot. I was following instructions from:
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts

and these two went OK:
./easyrsa gen-req clinic_8amd nopass
./easyrsa gen-dh

but I'm getting an error below: 

./easyrsa build-client-full syscon_home nopass
NOTE: If you run ./clean-all, I will be doing a rm -rf on 
/usr/share/easy-rsa/keys

Note: using Easy-RSA configuration from: ./vars

Easy-RSA error:

Missing expected CA file: serial (perhaps you need to run build-ca?)
Run without commands for usage and command help.

--
Thelma

Re: [gentoo-user] openVPN

[Sam Jorna]

On Mon, Feb 06, 2017 at 08:03:21PM -0700, the...@sys-concept.com wrote:
> and try to re-emerge it, it is not taking any effect.
> emerge -avq easy-rsa
> 
> [ebuild   R   ] app-crypt/easy-rsa-3.0.1-r1  USE="(-libressl)"
> 
> why isn't the package enclosing the libressl in emerge?

The parentheses "()" around the libressl flag indicates that it's forced 
by your profile. In this case, the libressl USE flag is masked for most 
architectures/platforms for stable arch because there's no stable 
libressl package:

/usr/portage/profiles/base/use.stable.mask:
# Justin Lecher  (30 Sep 2015)
# No stable libressl yet
# Addendum: also mask the USE_EXPAND flag,
# Anthony G. Basile  (26 Nov 2015)
curl_ssl_libressl
libressl

-- 
Sam Jorna (wraeth)
GnuPG Key: D6180C26


signature.asc
Description: Digital signature

Re: [gentoo-user] openVPN

[Michael Orlitzky]

On 02/06/2017 09:53 PM, the...@sys-concept.com wrote:
> I'm trying to configure "openvpn" on my new box (have done it in the
> past - long time ago).
> 
> Trying to follow some basic instruction but when I change to:
> cd /usr/share/easy-rsa/
> 
> and try to run: ./build-ca
> bash: ./build-ca: No such file or directory
> 

You want: ./easy-rsa build-ca

It's all in one script one.

Re: [gentoo-user] openVPN

[thelma]

On 02/06/2017 07:53 PM, the...@sys-concept.com wrote:
> I'm trying to configure "openvpn" on my new box (have done it in the
> past - long time ago).
> 
> Trying to follow some basic instruction but when I change to:
> cd /usr/share/easy-rsa/
> 
> and try to run: ./build-ca
> bash: ./build-ca: No such file or directory

It could be the reason is that it was emerged without "libressl"
app-crypt/easy-rsa-3.0.1-r1  USE="(-libressl)"

so I put package.use
app-crypt/easy-rsa libressl

and try to re-emerge it, it is not taking any effect.
emerge -avq easy-rsa

[ebuild   R   ] app-crypt/easy-rsa-3.0.1-r1  USE="(-libressl)"

why isn't the package enclosing the libressl in emerge?

--
Thelma

Re: [gentoo-user] openvpn

[Joseph]

On 02/09/15 13:47, Michael Orlitzky wrote:

On 02/09/2015 01:42 PM, Joseph wrote:

I've openvpn installed:
...

amd I'm trying to generate server key but I don't have directory: 
/usr/share/openvpn/easy-rsa/
does openvpn creates this directory or I do it manually?



It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was
split off.


I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't 
created.

--
Joseph

Re: [gentoo-user] openvpn

[Alon Bar-Lev]

you can install app-crypt/easyrsa

On Mon, Feb 9, 2015 at 8:42 PM, Joseph syscon...@gmail.com wrote:

 I've openvpn installed:
 Installed versions:  2.3.6(11:44:47 PM 01/30/2015)(lzo pam plugins ssl
 -down-root -examples -iproute2 -passwordsave -pkcs11 -polarssl -selinux
 -static -systemd USERLAND=-BSD)

 amd I'm trying to generate server key but I don't have directory:
 /usr/share/openvpn/easy-rsa/
 does openvpn creates this directory or I do it manually?

 --
 Joseph

Re: [gentoo-user] openvpn

[Michael Orlitzky]

On 02/09/2015 01:42 PM, Joseph wrote:
 I've openvpn installed:
 ...
 
 amd I'm trying to generate server key but I don't have directory: 
 /usr/share/openvpn/easy-rsa/
 does openvpn creates this directory or I do it manually?
 

It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was
split off.

Re: [gentoo-user] openvpn

[Joseph]

On 02/09/15 11:42, Joseph wrote:

I've openvpn installed:
Installed versions:  2.3.6(11:44:47 PM 01/30/2015)(lzo pam plugins ssl 
-down-root -examples -iproute2 -passwordsave -pkcs11 -polarssl -selinux -static 
-systemd
USERLAND=-BSD)

amd I'm trying to generate server key but I don't have directory: 
/usr/share/openvpn/easy-rsa/
does openvpn creates this directory or I do it manually?

--
Joseph


Thanks I found it.
...Openvpn prior to 2.3 have easy-rsa scripts included, not the current one

--
Joseph

Re: [gentoo-user] openvpn

[Joseph]

On 02/09/15 11:57, Joseph wrote:

On 02/09/15 13:47, Michael Orlitzky wrote:

On 02/09/2015 01:42 PM, Joseph wrote:

I've openvpn installed:
...

amd I'm trying to generate server key but I don't have directory: 
/usr/share/openvpn/easy-rsa/
does openvpn creates this directory or I do it manually?



It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was
split off.


I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't 
created.


now it is:
/usr/share/easy-rsa/

--
Joseph

Re: [gentoo-user] openvpn

[Alon Bar-Lev]

On Mon, Feb 9, 2015 at 8:57 PM, Joseph syscon...@gmail.com wrote:

 On 02/09/15 13:47, Michael Orlitzky wrote:

 On 02/09/2015 01:42 PM, Joseph wrote:

 I've openvpn installed:
 ...

 amd I'm trying to generate server key but I don't have directory: 
 /usr/share/openvpn/easy-rsa/
 does openvpn creates this directory or I do it manually?


 It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was
 split off.


 I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't 
 created.

the following command will be handy for you:

$ equery files easy-resa

Re: [gentoo-user] openvpn

[Michael Orlitzky]

On 02/09/2015 01:57 PM, Joseph wrote:

 It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was
 split off.
 
 I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't 
 created.
 

That's because

 It moved to /usr/share/easy-rsa

=)

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

On 02/25/2010 11:21 PM, Joseph wrote:
 On 02/25/10 22:17, Xavier Parizet wrote:
 [snip]
 
 I added full path to the server for ccd:
 /etc/openvpn/ccd
 
 Now I'm getting consistent IP: 192.168.139.2 every-time I restart
 openvpn.client_clinic2
 but I'm not getting what I requested in ccd/syscon9:
 ifconfig-push  192.168.139.15 255.255.255.0

retry ifconfig-push 192.168.139.15 192.168.139.1 .
Also post /etc/openvpn/ipp.txt content and try removing it and restart
openvpn server keep the full log level 4, and restart openvpn client,
keep the full log level 4.

I'm starting to be out of ideas ^^

 The client runs openvpn as user root,
 the server runs openvpn as user openvpn.

-- 
  Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] openvpn static ip

[J. Roeleveld]

On Friday 26 February 2010 01:39:55 Joseph wrote:
 On 02/25/10 22:17, Xavier Parizet wrote:
 From what i can see, please try to add full path to the ccd directory in
 client-config-dir directive on the server path. Also check permissions
 on that directory. On which user are you running openvpn on the server ?
 On the client ?
 
 On client:
 drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd
 -rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9
 
 so this looks OK,

From this, it looks like the syscon9 file is not in the .../ccd/ 
directory?

Also, isn't this file supposed to be on the server?

 Can you increase verbosity and see if there is no open fails on the
 server ? If it works, you should have the following line in server logs:
 OPTIONS IMPORT: reading client specific options from: [path to
  ccd]/syscon9 MULTI: Learn: [192.168.139.15] - syscon9/[ip source:port
  source]
 
 I've increased verbosity on server to 9
 but I can not find any phrase in the serer log file: fails IMPORT
 
 but I've noticed this section on the server log:
 
 ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0]
 ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0]
 ...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 -
  syscon9/68.148.245.78:56172
 
 If I change the directory to ccd the log just shows:
 ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0]
 ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0

This seems to indicate it can't actually find the file 
/etc/openvpn/ccd/syscon9

This file needs to be located on the server, not on the client, as it's the 
server that determines the IP-address for the client.

--
Joost

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

On 02/25/2010 02:32 AM, Joseph wrote:
 I've configured OpenVPN and it works OK but I can not seems to figure it
 out how to assign static IP to clients
 
 My server.conf port 8458
 proto udp
 dev tun
 mode server
 ca /usr/share/openvpn/easy-rsa/keys/ca.crt
 cert /usr/share/openvpn/easy-rsa/keys/server.crt
 key /usr/share/openvpn/easy-rsa/keys/server.key
 dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
 server 192.168.139.0 255.255.255.0
 client-to-client
 ifconfig-pool-persist ipp.txt
 client-config-dir ccd
 keepalive 10 120
 tls-auth vpn_my.key 0
 tun-mtu 1500
 tun-mtu-extra 32
 mssfix 1200
 duplicate-cn
 comp-lzo
 max-clients 100
 persist-key
 persist-tun
 status openvpn-status.log
 log/var/log/openvpn.log
 log-append /var/log/openvpn.log
 verb 3
 
 On client in /etc/openvpn/ccd directory I've created a file syscon9 with:
 ifconfig-push 192.168.139.15 192.168.139.1

Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
man openvpn tell me the following for ifconfig-push:
--ifconfig-push local remote-netmask

so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
above in the ccd directory.

If it doesn't work, then please post the openvpn.log of the client.

 This file suppose to have a name from client CN
 
 client.conf
 client
 dev tun
 proto udp
 remote 68.148.245.78 8458
 resolv-retry infinite
 nobind
 tun-mtu 1500
 tun-mtu-extra 32
 mssfix 1200
 persist-key
 persist-tun
 remote-cert-tls server
 ca /etc/openvpn/client/ca.crt
 cert /etc/openvpn/client/syscon9.crt
 key /etc/openvpn/client/syscon9.key
 tls-auth /etc/openvpn/client/vpn.key 1
 comp-lzo
 log/var/log/openvpn.log
 log-append /var/log/openvpn.log
 verb 3

-- 
  Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] openvpn static ip

[Albert Hopkins]

On Wed, 2010-02-24 at 20:37 -0700, Joseph wrote:
 The directory name shouldn't make any difference, I'm using directory
 name ccd; though I've tried the IP's you suggested, it makes no
 difference, still 
 not getting static IP :-/
 
 Thanks for suggestion, I've been on it all day and can not find the
 solution. 

Yeah I know the directory name is arbitrary, I was only giving you the
example that works for me.

Not sure why it doesn't work for you. Do the file names match up with
the DNs (check the logs)?

-a

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

Le 25/02/2010 17:51, Joseph a écrit :
 On 02/25/10 08:40, Xavier Parizet wrote:
 On 02/25/2010 02:32 AM, Joseph wrote:
 I've configured OpenVPN and it works OK but I can not seems to figure it
 out how to assign static IP to clients

 My server.conf port 8458
 [SNIP]

 On client in /etc/openvpn/ccd directory I've created a file syscon9
 with:
 ifconfig-push 192.168.139.15 192.168.139.1

 Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
 man openvpn tell me the following for ifconfig-push:
 --ifconfig-push local remote-netmask

 so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
 above in the ccd directory.

 If it doesn't work, then please post the openvpn.log of the client.
 
 I've tried it many time, it doesn't work with the netmaks. File: syscon9
 from ccd:
 cat syscon9
 ifconfig-push  192.168.0.15 255.255.255.0
^^^
 this is wrong (or maybe a typing mistake?)

If it's a typing mistake, then please post now server side log.

 [SNIP]

-- 
  Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 18:12, Xavier Parizet wrote:

Le 25/02/2010 17:51, Joseph a ??crit :

On 02/25/10 08:40, Xavier Parizet wrote:

On 02/25/2010 02:32 AM, Joseph wrote:

I've configured OpenVPN and it works OK but I can not seems to figure it
out how to assign static IP to clients

My server.conf port 8458
[SNIP]

On client in /etc/openvpn/ccd directory I've created a file syscon9
with:
ifconfig-push 192.168.139.15 192.168.139.1


Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
man openvpn tell me the following for ifconfig-push:
--ifconfig-push local remote-netmask

so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
above in the ccd directory.

If it doesn't work, then please post the openvpn.log of the client.


I've tried it many time, it doesn't work with the netmaks. File: syscon9
from ccd:
cat syscon9
ifconfig-push  192.168.0.15 255.255.255.0

   ^^^
this is wrong (or maybe a typing mistake?)

If it's a typing mistake, then please post now server side log.


Yes, it was a typo :-/ I corrected it:
cat syscon9
ifconfig-push  192.168.139.15 255.255.255.0

but from log you can see it still didn't give me what I want, I got IP 
192.168.139.6 and was asking for: 192.168.139.15

log:
cat /var/log/openvpn.log
Thu Feb 25 12:14:04 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] 
[EPOLL] built on Jan 16 2010
Thu Feb 25 12:14:04 2010 NOTE: the current --script-security setting may allow 
this configuration to call user-defined scripts
Thu Feb 25 12:14:04 2010 Control Channel Authentication: using 
'/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
Thu Feb 25 12:14:04 2010 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:14:04 2010 Incoming Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:14:04 2010 LZO compression initialized
Thu Feb 25 12:14:04 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 
ET:0 EL:0 ]
Thu Feb 25 12:14:04 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 
ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:14:04 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:14:04 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:14:04 2010 Socket Buffers: R=[114688-131072] S=[114688-131072]
Thu Feb 25 12:14:04 2010 UDPv4 link local: [undef]
Thu Feb 25 12:14:04 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:15:04 2010 TLS Error: TLS key negotiation failed to occur within 
60 seconds (check your network connectivity)
Thu Feb 25 12:15:04 2010 TLS Error: TLS handshake failed
Thu Feb 25 12:15:04 2010 TCP/UDP: Closing socket
Thu Feb 25 12:15:04 2010 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 25 12:15:04 2010 Restart pause, 2 second(s)
Thu Feb 25 12:15:06 2010 NOTE: the current --script-security setting may allow 
this configuration to call user-defined scripts
Thu Feb 25 12:15:06 2010 Re-using SSL/TLS context
Thu Feb 25 12:15:06 2010 LZO compression initialized
Thu Feb 25 12:15:06 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 
ET:0 EL:0 ]
Thu Feb 25 12:15:06 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 
ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:15:06 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:15:06 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:15:06 2010 Socket Buffers: R=[114688-131072] S=[114688-131072]
Thu Feb 25 12:15:06 2010 UDPv4 link local: [undef]
Thu Feb 25 12:15:06 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:16:06 2010 TLS Error: TLS key negotiation failed to occur within 
60 seconds (check your network connectivity)
Thu Feb 25 12:16:06 2010 TLS Error: TLS handshake failed
Thu Feb 25 12:16:06 2010 TCP/UDP: Closing socket
Thu Feb 25 12:16:06 2010 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 25 12:16:06 2010 Restart pause, 2 second(s)
Thu Feb 25 12:16:08 2010 NOTE: the current --script-security setting may allow 
this configuration to call user-defined scripts
Thu Feb 25 12:16:08 2010 Re-using SSL/TLS context
Thu Feb 25 12:16:08 2010 LZO compression initialized
Thu Feb 25 12:16:08 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 
ET:0 EL:0 ]
Thu Feb 25 12:16:08 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 
ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:16:08 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:16:08 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:16:08 2010 Socket Buffers: R=[114688-131072] S=[114688-131072]
Thu Feb 25 12:16:08 2010 UDPv4 link local: [undef]
Thu Feb 25 12:16:08 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:16:25 2010 TLS: Initial packet from 208.38.31.237:9000, 
sid=9c654bbf 0689942b
Thu Feb 25 12:16:25 2010 VERIFY OK: depth=1, 
/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailaddress...@myhost.mydomain
Thu Feb 25 12:16:25 2010 Validating certificate key 

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

Le 25/02/2010 20:20, Joseph a écrit :
 On 02/25/10 18:12, Xavier Parizet wrote:
 Le 25/02/2010 17:51, Joseph a ??crit :
 On 02/25/10 08:40, Xavier Parizet wrote:
 On 02/25/2010 02:32 AM, Joseph wrote:
 I've configured OpenVPN and it works OK but I can not seems to
 figure it
 out how to assign static IP to clients

 My server.conf port 8458
 [SNIP]

 On client in /etc/openvpn/ccd directory I've created a file syscon9
 with:
 ifconfig-push 192.168.139.15 192.168.139.1

 Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
 man openvpn tell me the following for ifconfig-push:
 --ifconfig-push local remote-netmask

 so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
 above in the ccd directory.

 If it doesn't work, then please post the openvpn.log of the client.

 I've tried it many time, it doesn't work with the netmaks. File: syscon9
 from ccd:
 cat syscon9
 ifconfig-push  192.168.0.15 255.255.255.0
^^^
 this is wrong (or maybe a typing mistake?)

 If it's a typing mistake, then please post now server side log.
 
 Yes, it was a typo :-/ I corrected it:
 cat syscon9
 ifconfig-push  192.168.139.15 255.255.255.0
 
 but from log you can see it still didn't give me what I want, I got IP
 192.168.139.6 and was asking for: 192.168.139.15
 
 log:
 cat /var/log/openvpn.log
 [SNIP]

Ok. After re-re-reading the man page, try to add parameter topology
subnet to server config. If it still don't work, then _please_ post the
openvpn.log of the server side.

-- 
  Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] openvpn static ip

[Etaoin Shrdlu]

On Thursday 25 February 2010, Joseph wrote:

 Yes, it was a typo :-/ I corrected it:
 cat syscon9
 ifconfig-push  192.168.139.15 255.255.255.0
 
 but from log you can see it still didn't give me what I want, I got IP
  192.168.139.6 and was asking for: 192.168.139.15

Try adding

topology subnet

to both client and server config.

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 21:09, Xavier Parizet wrote:
[snip]

Yes, it was a typo :-/ I corrected it:
cat syscon9
ifconfig-push  192.168.139.15 255.255.255.0

but from log you can see it still didn't give me what I want, I got IP
192.168.139.6 and was asking for: 192.168.139.15

log:
cat /var/log/openvpn.log
[SNIP]


Ok. After re-re-reading the man page, try to add parameter topology
subnet to server config. If it still don't work, then _please_ post the
openvpn.log of the server side.

--
 Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



I've added: topology subnet to both client and server conf but now when I try 
to disconnect and connect I'm getting consecutive IP's:
192.168.139.2
192.168.139.3
192.168.139.4
...

cat server.conf
port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
topology subnet
server 192.168.139.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth vpn_my.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log/var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

cat client_clinic2.conf
client
dev tun
proto udp
topology subnet
remote 208.38.31.237 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
remote-cert-tls server
ca /etc/openvpn/client_clinic2/ca.crt
cert /etc/openvpn/client_clinic2/syscon9.crt
key /etc/openvpn/client_clinic2/syscon9.key
tls-auth /etc/openvpn/client_clinic2/vpn_my.key 1
comp-lzo
log/var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3


log file from client:

cat /var/log/openvpn.log
Thu Feb 25 13:50:30 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] 
[EPOLL] built on Jan 16 2010
Thu Feb 25 13:50:30 2010 NOTE: the current --script-security setting may allow 
this configuration to call user-defined scripts
Thu Feb 25 13:50:30 2010 Control Channel Authentication: using 
'/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
Thu Feb 25 13:50:30 2010 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:30 2010 Incoming Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:30 2010 LZO compression initialized
Thu Feb 25 13:50:30 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 
ET:0 EL:0 ]
Thu Feb 25 13:50:30 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 
ET:32 EL:0 AF:3/1 ]
Thu Feb 25 13:50:30 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 13:50:30 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 13:50:30 2010 Socket Buffers: R=[114688-131072] S=[114688-131072]
Thu Feb 25 13:50:30 2010 UDPv4 link local: [undef]
Thu Feb 25 13:50:30 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 13:50:30 2010 TLS: Initial packet from 208.38.31.237:9000, 
sid=766f3e2f 0cf96857
Thu Feb 25 13:50:30 2010 VERIFY OK: depth=1, 
/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailaddress...@myhost.mydomain
Thu Feb 25 13:50:30 2010 Validating certificate key usage
Thu Feb 25 13:50:30 2010 ++ Certificate has key usage  00a0, expects 00a0
Thu Feb 25 13:50:30 2010 VERIFY KU OK
Thu Feb 25 13:50:30 2010 Validating certificate extended key usage
Thu Feb 25 13:50:30 2010 ++ Certificate has EKU (str) TLS Web Server 
Authentication, expects TLS Web Server Authentication
Thu Feb 25 13:50:30 2010 VERIFY EKU OK
Thu Feb 25 13:50:30 2010 VERIFY OK: depth=0, 
/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailaddress...@myhost.mydomain
Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 
128 bit key
Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Using 160 bit message hash 
'SHA1' for HMAC authentication
Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 
128 bit key
Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Using 160 bit message hash 
'SHA1' for HMAC authentication
Thu Feb 25 13:50:31 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 25 13:50:31 2010 [server] Peer Connection Initiated with 
208.38.31.237:9000
Thu Feb 25 13:50:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Feb 25 13:50:32 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 120,ifconfig 
192.168.139.2 255.255.255.0'

Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: route-related options modified
Thu Feb 25 13:50:32 2010 TUN/TAP device tun0 opened
Thu Feb 25 13:50:32 2010 TUN/TAP TX queue 

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

Le 25/02/2010 22:01, Joseph a écrit :
 On 02/25/10 21:09, Xavier Parizet wrote:
 [snip]
 Yes, it was a typo :-/ I corrected it:
 cat syscon9
 ifconfig-push  192.168.139.15 255.255.255.0

 but from log you can see it still didn't give me what I want, I got IP
 192.168.139.6 and was asking for: 192.168.139.15

 log:
 cat /var/log/openvpn.log
 [SNIP]

 Ok. After re-re-reading the man page, try to add parameter topology
 subnet to server config. If it still don't work, then _please_ post the
 openvpn.log of the server side.

 
 I've added: topology subnet to both client and server conf but now when
 I try to disconnect and connect I'm getting consecutive IP's:
 192.168.139.2
 192.168.139.3
 192.168.139.4
 ...
 
 cat server.conf
 port 9000
 proto udp
 dev tun
 mode server
 ca /usr/share/openvpn/easy-rsa/keys/ca.crt
 cert /usr/share/openvpn/easy-rsa/keys/server.crt
 key /usr/share/openvpn/easy-rsa/keys/server.key
 dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
 topology subnet
 server 192.168.139.0 255.255.255.0
 client-to-client
 ifconfig-pool-persist ipp.txt
 client-config-dir ccd
 keepalive 10 120
 tls-auth vpn_my.key 0
 tun-mtu 1500
 tun-mtu-extra 32
 mssfix 1200
 duplicate-cn
 comp-lzo
 max-clients 100
 persist-key
 persist-tun
 status openvpn-status.log
 log/var/log/openvpn.log
 log-append /var/log/openvpn.log
 verb 3
 
 cat client_clinic2.conf
 client
 dev tun
 proto udp
 topology subnet
 remote 208.38.31.237 9000
 resolv-retry infinite
 nobind
  ^^
  you should remove this line to avoid connection refused messages from
the server. As you are in udp, client should bind on udp source port to
get messages from the server.

 tun-mtu 1500
 tun-mtu-extra 32
 mssfix 1200
 persist-key
 persist-tun
 remote-cert-tls server
 ca /etc/openvpn/client_clinic2/ca.crt
 cert /etc/openvpn/client_clinic2/syscon9.crt
 key /etc/openvpn/client_clinic2/syscon9.key
 tls-auth /etc/openvpn/client_clinic2/vpn_my.key 1
 comp-lzo
 log/var/log/openvpn.log
 log-append /var/log/openvpn.log
 verb 3
 
 
 log file from client:
 
 cat /var/log/openvpn.log
 [SNIP]
 
 Whey sever log is always showing this message: [ECONNREFUSED]:
 Connection refused (code=111

From what i can see, please try to add full path to the ccd directory in
client-config-dir directive on the server path. Also check permissions
on that directory. On which user are you running openvpn on the server ?
On the client ?

Can you increase verbosity and see if there is no open fails on the
server ? If it works, you should have the following line in server logs:
OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
MULTI: Learn: [192.168.139.15] - syscon9/[ip source:port source]

-- 
  Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 22:17, Xavier Parizet wrote:
[snip]

topology subnet
remote 208.38.31.237 9000
resolv-retry infinite
nobind

 ^^
 you should remove this line to avoid connection refused messages from
the server. As you are in udp, client should bind on udp source port to
get messages from the server.


I remove this one from client.conf




tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
remote-cert-tls server
ca /etc/openvpn/client_clinic2/ca.crt
cert /etc/openvpn/client_clinic2/syscon9.crt
key /etc/openvpn/client_clinic2/syscon9.key
tls-auth /etc/openvpn/client_clinic2/vpn_my.key 1
comp-lzo
log/var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3


log file from client:

cat /var/log/openvpn.log
[SNIP]

Whey sever log is always showing this message: [ECONNREFUSED]:
Connection refused (code=111


From what i can see, please try to add full path to the ccd directory in
client-config-dir directive on the server path. Also check permissions
on that directory. On which user are you running openvpn on the server ?
On the client ?

Can you increase verbosity and see if there is no open fails on the
server ? If it works, you should have the following line in server logs:
OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
MULTI: Learn: [192.168.139.15] - syscon9/[ip source:port source]

--
 Xavier Parizet
YaGB :   http://gentooist.com
GPG  :C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



I added full path to the server for ccd:
/etc/openvpn/ccd

Now I'm getting consistent IP: 192.168.139.2 every-time I restart 
openvpn.client_clinic2
but I'm not getting what I requested in ccd/syscon9:
ifconfig-push  192.168.139.15 255.255.255.0

The client runs openvpn as user root,
the server runs openvpn as user openvpn.

--
Joseph

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 22:17, Xavier Parizet wrote:

From what i can see, please try to add full path to the ccd directory in
client-config-dir directive on the server path. Also check permissions
on that directory. On which user are you running openvpn on the server ?
On the client ?


On client:
drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd
-rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9

so this looks OK,


Can you increase verbosity and see if there is no open fails on the
server ? If it works, you should have the following line in server logs:
OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
MULTI: Learn: [192.168.139.15] - syscon9/[ip source:port source]


I've increased verbosity on server to 9
but I can not find any phrase in the serer log file: fails IMPORT

but I've noticed this section on the server log:

...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0]
...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0]
...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 - 
syscon9/68.148.245.78:56172

If I change the directory to ccd the log just shows:
...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0]
...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0

--
Joseph

Re: [gentoo-user] openvpn static ip

[Albert Hopkins]

On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote:
 I've configured OpenVPN and it works OK but I can not seems to figure it out 
 how to assign static IP to clients

Put this your config config:

client-config-dir client.d

And then in client.d/ have a file for each client, e.g.

# cat client.d/client
ifconfig-push 192.168.0.4 192.168.0.1

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/24/10 21:51, Albert Hopkins wrote:

On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote:

I've configured OpenVPN and it works OK but I can not seems to figure it out 
how to assign static IP to clients


Put this your config config:

   client-config-dir client.d

And then in client.d/ have a file for each client, e.g.

   # cat client.d/client
   ifconfig-push 192.168.0.4 192.168.0.1


The directory name shouldn't make any difference, I'm using directory name ccd; though I've tried the IP's you suggested, it makes no difference, still 
not getting static IP :-/


Thanks for suggestion, I've been on it all day and can not find the solution. 
--

Joseph

Re: [gentoo-user] OpenVPN and IPsec

[Etaoin Shrdlu]

On Thursday 11 December 2008, 22:08, Mick wrote:

 Hi All,

 I would like to set up a VPN connection to a router which is using IKE
  IPsec: 
 http://www.ciscopress.com/articles/article.asp?p=25474seqNum=7

 Would I be able to achieve this using OpenVPN on my gentoo box?

Unfortunately not, openvpn is mostly a software-only product until now 
and is not found in hardware appliances like routers or firewalls (at 
least as far as I know).

 I read the IPsec HowTo and scared myself to death (it seems long enough
 to warrant me taking time off work to read it . . . and at least
 another day to try it ;)

Yes, Ipsec can be a nightmare. For connecting to cisco, try using vpnc 
(perhaps with kvpnc if you're under kde) which should work reasonably 
well. Both programs are in portage.
kvpnc also acts as a single interface to handle various kinds of vpn 
connections (including openvpn, ipsec, pptp (to connect to some 
microsoft-based servers) and others). 

Re: [gentoo-user] OpenVPN setup

[Mick]

On Sunday 17 February 2008, Grant wrote:

  What wasn't mentioned is that SSL covers transport encryption, not
  necessarily application security.  What that means is if you open IMAP,
  SMTP, CUPS, and SSH daemons over the internet then you also need to keep
  (better) track of security vulnerabilities found in those applications,
  and fix them as needed.  SSL alone won't help you there.  Whereas if
  you're only running, say OpenVPN over the Internet then that's the only
  application you gotta look out for.
 
  Also, doing things such as running IMAP over SSL using accounts with
  weak passwords doesn't gain you much either.

 Good points Albert.  Is a daily 'emerge --sync  emerge -avDuN world'
 generally enough as far as tracking security vulnerabilities?

It will sure help.  So will strong passwds, denyhosts, or fail2ban and 
equivalents, a well configured IDS, etc. and close monitoring of the log 
files.  Let's be honest, a machine that runs services has the potential to 
get cracked one way or another.  A well configured machine has a 
disproportionately small probability of getting cracked, than your average 
WinXP IT illiterate user around the world.  So, it's really a matter of how 
paranoid you would like to get about it.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] OpenVPN setup

[Grant]

   Thanks a lot for everyone's help.  Here is a more to-the-point list of
   what I'd like to accomplish:
 
   1. encrypt CUPS printouts between remote server and local print server
   2. add an additional layer of security around SSH and CUPS on local
   firewall/print server
   3. add an additional layer of security around SSH, IMAP, and
   non-standard port HTTPS on remote server
   4. enable access to SMTP on remote server for me which is blocked by
   my local ISP
 
   It sounds like I have 3 choices:
 
   1. VPN
   2. SSH tunneling
   3. Zebedee tunneling
 
   Would all 3 of these choices accomplish all 4 requirements?  I would
   think SSH tunneling can't really add an additional layer around SSH.

 I'd just like to reiterate that most of those don't need any extra
 security. SSH and HTTPS are already secure, and IMAP and SMTP can be
 accessed over SSL (like HTTPS). These are all secure enough to be
 widely used without extra layers of encryption.

I'm surprised, but glad to hear this.  I was under the impression that
opening services like SSH and CUPS to the internet was a bad idea.  I
guess they're secure enough.  That removes #2 and #3 from my 4-part
list above.

If I can print with CUPS via SSL and submit SMTP mail via alternate
port 587, I won't need a VPN or tunnel.

Thanks a lot for everyone's help.  I'm going to start a new thread for
those topics.

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Albert Hopkins]

On Sun, 2008-02-17 at 07:12 -0800, Grant wrote:
  I'd just like to reiterate that most of those don't need any extra
  security. SSH and HTTPS are already secure, and IMAP and SMTP can be
  accessed over SSL (like HTTPS). These are all secure enough to be
  widely used without extra layers of encryption.
 
 I'm surprised, but glad to hear this.  I was under the impression that
 opening services like SSH and CUPS to the internet was a bad idea.  I
 guess they're secure enough.  That removes #2 and #3 from my 4-part
 list above.
 
 If I can print with CUPS via SSL and submit SMTP mail via alternate
 port 587, I won't need a VPN or tunnel.
 
 Thanks a lot for everyone's help.  I'm going to start a new thread for
 those topics.

What wasn't mentioned is that SSL covers transport encryption, not
necessarily application security.  What that means is if you open IMAP,
SMTP, CUPS, and SSH daemons over the internet then you also need to keep
(better) track of security vulnerabilities found in those applications,
and fix them as needed.  SSL alone won't help you there.  Whereas if
you're only running, say OpenVPN over the Internet then that's the only
application you gotta look out for.

Also, doing things such as running IMAP over SSL using accounts with
weak passwords doesn't gain you much either.

Just my 2 cents.

-a

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

   I'd just like to reiterate that most of those don't need any extra
   security. SSH and HTTPS are already secure, and IMAP and SMTP can be
   accessed over SSL (like HTTPS). These are all secure enough to be
   widely used without extra layers of encryption.
 
  I'm surprised, but glad to hear this.  I was under the impression that
  opening services like SSH and CUPS to the internet was a bad idea.  I
  guess they're secure enough.  That removes #2 and #3 from my 4-part
  list above.
 
  If I can print with CUPS via SSL and submit SMTP mail via alternate
  port 587, I won't need a VPN or tunnel.
 
  Thanks a lot for everyone's help.  I'm going to start a new thread for
  those topics.

 What wasn't mentioned is that SSL covers transport encryption, not
 necessarily application security.  What that means is if you open IMAP,
 SMTP, CUPS, and SSH daemons over the internet then you also need to keep
 (better) track of security vulnerabilities found in those applications,
 and fix them as needed.  SSL alone won't help you there.  Whereas if
 you're only running, say OpenVPN over the Internet then that's the only
 application you gotta look out for.

 Also, doing things such as running IMAP over SSL using accounts with
 weak passwords doesn't gain you much either.

Good points Albert.  Is a daily 'emerge --sync  emerge -avDuN world'
generally enough as far as tracking security vulnerabilities?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Albert Hopkins]

On Sun, 2008-02-17 at 12:03 -0800, Grant wrote:
 Good points Albert.  Is a daily 'emerge --sync  emerge -avDuN world'
 generally enough as far as tracking security vulnerabilities?
 
 - Grant

That's not really for me to say.  But I can tell you that although the
Gentoo developers take matters of security seriously, there is no
full-time security tracker.  Sometimes things don't get patched in
portage until someone (else) creates a bug report.  And even if that
were not the case, there are 0-day exploits that have yet to be patched.

So it really depends on how informed/paranoid you are about what you
have accepting requests from the Internet.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

  Good points Albert.  Is a daily 'emerge --sync  emerge -avDuN world'
  generally enough as far as tracking security vulnerabilities?
 
  - Grant

 That's not really for me to say.  But I can tell you that although the
 Gentoo developers take matters of security seriously, there is no
 full-time security tracker.  Sometimes things don't get patched in
 portage until someone (else) creates a bug report.  And even if that
 were not the case, there are 0-day exploits that have yet to be patched.

 So it really depends on how informed/paranoid you are about what you
 have accepting requests from the Internet.

What do you think guys?  Simplicity or security?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

  Good points Albert.  Is a daily 'emerge --sync  emerge -avDuN world'
  generally enough as far as tracking security vulnerabilities?
 
  - Grant

 That's not really for me to say.  But I can tell you that although the
 Gentoo developers take matters of security seriously, there is no
 full-time security tracker.  Sometimes things don't get patched in
 portage until someone (else) creates a bug report.  And even if that
 were not the case, there are 0-day exploits that have yet to be patched.

 So it really depends on how informed/paranoid you are about what you
 have accepting requests from the Internet.

While we're on the subject, what is the best way to stay on top of
security vulnerabilities for a group of services?  Should I be
subscribed to their announcement mailing lists and make sure I'm
notified of new mail?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Dan Farrell]

On Wed, 13 Feb 2008 08:19:48 -0800
Grant [EMAIL PROTECTED] wrote:

Even if you just want to encrypt some clear-text protocol that
doesn't have an encrypted equivalent, a vpn is still overkill.
For that you use ssh tunneling (which is essentially the same
thing as an encrypted version of a protocol). 'ssh -X' is the
classic example of easily tunneling a protocol that doesn't
have a native encrypted equivalent.
  
   I see what you're saying.  Can tunneling through ssh be made
   automatic so that a cron job initiates a script that opens a
   tunnel between the remote server and local print server and pages
   are printed through the tunnel?
 
  Sure. ssh is just a process after all and in principle encapsulated
  whatever gets put into it. All you need is a connection that isn't
  firewalled out and an sshd that is listening to what is coming in.
 
  ssh will even port forward for you and can be made to transform any
  tcp connection to appear to come from whatever port you want. What
  you put inside the tunnel is up to you. If the print server won't
  accept what is coming in, then google will find you any number of
  apps that will mangle the traffic.
 
Your statement it seems like running SSH inside a VPN is better
for security than running SSH on a non-standard port is
non-sensical. From a security and encryption perspective, ssh
and OpenVPN are exactly the same thing - stuff wrapped in an
encryption layer provided by ssl, complete with exactly the
same key setup should you choose to use that route.
  
   What about having ssh, imap, smtp, cups, and possibly a
   non-standard https port all hidden within a VPN?  Should that be
   considered a benefit of running a VPN?
 
  I've filed the original post somewhere else and forgot the
  scenario :-) Is this a setup you need to be present often or even
  all the time? If so, you have 5 protocols in use, and setting up
  tunnels could become cumbersome. You might consider that it's more
  effort than it's worth and a VPN that is there and JustWorks(tm) is
  preferable. I would call that a sensible use of a VPN :-)
 
  I don't think there's a golden rule about when using a VPN is right
  or wrong. It's more like do the advantages outweigh the hassle of
  setting it up and maintaining it?. Sometimes this answer is
  obvious, sometimes less so. Sometimes it's a judgement call.
 
 Thanks a lot for everyone's help.  Here is a more to-the-point list of
 what I'd like to accomplish:
 
 1. encrypt CUPS printouts between remote server and local print server
 2. add an additional layer of security around SSH and CUPS on local
 firewall/print server
 3. add an additional layer of security around SSH, IMAP, and
 non-standard port HTTPS on remote server
 4. enable access to SMTP on remote server for me which is blocked by
 my local ISP
 
 It sounds like I have 3 choices:
 
 1. VPN
 2. SSH tunneling
 3. Zebedee tunneling
 
 Would all 3 of these choices accomplish all 4 requirements?  I would
 think SSH tunneling can't really add an additional layer around SSH.

Encrypted packets, encrypted?  Why not?  

 I'd like to have something I can leave up all the time so the services
 are always protected and I don't have to go through an extra step to
 use email or print from the remote server.  Can all 3 of these be left
 up all the time?  Is there any reason not to leave this type of
 functionality up all the time?

I don't use tunnels, but leave VPN up all the time. 

 It sounds like VPN would be the most difficult to set up and maintain,
 followed by SSH tunneling, followed by Zebedee tunneling.  Maybe I'm
 wrong though.  With tunneling, would I need to set up 4 or 5 different
 tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm
 using Zebedee)?

tunnels aren't configured, but would probably have to be created
at boot.  vpn is, I suppose, not super easy to configure.  I will send
you my config files though if you want.  

 To send me mail, mail servers need to connect to my remote server's
 SMTP right?  Would setting up a tunnel or VPN for my SMTP access
 interfere with that?

Not if you tunnel through to the right ports - or in the case of a VPN,
no.  

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

   Even if you just want to encrypt some clear-text protocol that
   doesn't have an encrypted equivalent, a vpn is still overkill. For
   that you use ssh tunneling (which is essentially the same thing as
   an encrypted version of a protocol). 'ssh -X' is the classic
   example of easily tunneling a protocol that doesn't have a native
   encrypted equivalent.
 
  I see what you're saying.  Can tunneling through ssh be made
  automatic so that a cron job initiates a script that opens a tunnel
  between the remote server and local print server and pages are
  printed through the tunnel?

 Sure. ssh is just a process after all and in principle encapsulated
 whatever gets put into it. All you need is a connection that isn't
 firewalled out and an sshd that is listening to what is coming in.

 ssh will even port forward for you and can be made to transform any tcp
 connection to appear to come from whatever port you want. What you put
 inside the tunnel is up to you. If the print server won't accept what
 is coming in, then google will find you any number of apps that will
 mangle the traffic.

   Your statement it seems like running SSH inside a VPN is better
   for security than running SSH on a non-standard port is
   non-sensical. From a security and encryption perspective, ssh and
   OpenVPN are exactly the same thing - stuff wrapped in an encryption
   layer provided by ssl, complete with exactly the same key setup
   should you choose to use that route.
 
  What about having ssh, imap, smtp, cups, and possibly a non-standard
  https port all hidden within a VPN?  Should that be considered a
  benefit of running a VPN?

 I've filed the original post somewhere else and forgot the scenario :-)
 Is this a setup you need to be present often or even all the time? If
 so, you have 5 protocols in use, and setting up tunnels could become
 cumbersome. You might consider that it's more effort than it's worth
 and a VPN that is there and JustWorks(tm) is preferable. I would call
 that a sensible use of a VPN :-)

 I don't think there's a golden rule about when using a VPN is right or
 wrong. It's more like do the advantages outweigh the hassle of setting
 it up and maintaining it?. Sometimes this answer is obvious, sometimes
 less so. Sometimes it's a judgement call.

Thanks a lot for everyone's help.  Here is a more to-the-point list of
what I'd like to accomplish:

1. encrypt CUPS printouts between remote server and local print server
2. add an additional layer of security around SSH and CUPS on local
firewall/print server
3. add an additional layer of security around SSH, IMAP, and
non-standard port HTTPS on remote server
4. enable access to SMTP on remote server for me which is blocked by
my local ISP

It sounds like I have 3 choices:

1. VPN
2. SSH tunneling
3. Zebedee tunneling

Would all 3 of these choices accomplish all 4 requirements?  I would
think SSH tunneling can't really add an additional layer around SSH.

I'd like to have something I can leave up all the time so the services
are always protected and I don't have to go through an extra step to
use email or print from the remote server.  Can all 3 of these be left
up all the time?  Is there any reason not to leave this type of
functionality up all the time?

It sounds like VPN would be the most difficult to set up and maintain,
followed by SSH tunneling, followed by Zebedee tunneling.  Maybe I'm
wrong though.  With tunneling, would I need to set up 4 or 5 different
tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm
using Zebedee)?

To send me mail, mail servers need to connect to my remote server's
SMTP right?  Would setting up a tunnel or VPN for my SMTP access
interfere with that?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Mike Mazur]

Hi Grant,

On Thu, Feb 14, 2008 at 1:19 AM, Grant [EMAIL PROTECTED] wrote:
  Thanks a lot for everyone's help.  Here is a more to-the-point list of
  what I'd like to accomplish:

  1. encrypt CUPS printouts between remote server and local print server
  2. add an additional layer of security around SSH and CUPS on local
  firewall/print server
  3. add an additional layer of security around SSH, IMAP, and
  non-standard port HTTPS on remote server
  4. enable access to SMTP on remote server for me which is blocked by
  my local ISP

  It sounds like I have 3 choices:

  1. VPN
  2. SSH tunneling
  3. Zebedee tunneling

  Would all 3 of these choices accomplish all 4 requirements?  I would
  think SSH tunneling can't really add an additional layer around SSH.

I'd just like to reiterate that most of those don't need any extra
security. SSH and HTTPS are already secure, and IMAP and SMTP can be
accessed over SSL (like HTTPS). These are all secure enough to be
widely used without extra layers of encryption.

Routing your printing over a tunnel is perfectly valid and, in my
opinion, reason enough to set up OpenVPN and play with it :D

  I'd like to have something I can leave up all the time so the services
  are always protected and I don't have to go through an extra step to
  use email or print from the remote server.  Can all 3 of these be left
  up all the time?  Is there any reason not to leave this type of
  functionality up all the time?

I can't speak for all of those options, but OpenVPN should be able to
stay up all the time. I currently have an established OpenVPN
connection to my work, it's been up for some five days now. I also
have experience with a Cisco VPN, for which I use vpnc[1]... that
thing goes down all the time.

[1] http://www.unix-ag.uni-kl.de/~massar/vpnc/

  It sounds like VPN would be the most difficult to set up and maintain,
  followed by SSH tunneling, followed by Zebedee tunneling.  Maybe I'm
  wrong though.  With tunneling, would I need to set up 4 or 5 different
  tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm
  using Zebedee)?

You can establish only one tunnel. Think of it this way, creating a
tunnel is analogous to adding a NIC to your system. It will be called
tun0 or tap0 (depending on whether you're tunneling or bridging). Then
your system has an IP on your physical NIC (eth0) and your tun/tap
interface as well. Your machine is now part of two network segments,
the physical one and the virtual one.

You only need one VPN tunnel; configure all your apps to route their
CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual
network.

  To send me mail, mail servers need to connect to my remote server's
  SMTP right?  Would setting up a tunnel or VPN for my SMTP access
  interfere with that?

I would imagine your SMTP port needs to be accessible from the outside
world in order to receive mail... so as long as packets bound for that
machine's IP on port 25 (is it?) will reach the machine, you'll be OK.
Perhaps someone more knowledgeable on mail servers can clarify this.

At any rate, why not just go ahead with OpenVPN, set it up and see how
it works for you? You'll be in a much better position then to
determine whether it's really what you want or need.

Have fun!
Mike
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[W.Kenworthy]

On Wed, 2008-02-13 at 08:19 -0800, Grant wrote:

 
 Thanks a lot for everyone's help.  Here is a more to-the-point list of
 what I'd like to accomplish:
 
 1. encrypt CUPS printouts between remote server and local print server
 2. add an additional layer of security around SSH and CUPS on local
 firewall/print server
 3. add an additional layer of security around SSH, IMAP, and
 non-standard port HTTPS on remote server
 4. enable access to SMTP on remote server for me which is blocked by
 my local ISP
 
 It sounds like I have 3 choices:
 
 1. VPN
 2. SSH tunneling
 3. Zebedee tunneling
 

Simplyfy - send cups and smtp send only by zebedee

SSH and HTTPS are already highly regarded as safe.  Convert your email
reading to to the secure imaps.  Experience over the years has me
sitting on the side of using as few layers as possible - anything you
add is going to increase complexity (management time) and reduce
reliability.

I do run openvpn and zebedee (in the past) using iptables to restrict
access, and the services themselves are killed/restarted at appropriate
times via cron to minimise exposure.  Zebedee handles it very well
(except when in server mode on a doze box!!) - openvpn can be a bit ..
ah ... fussy ... I find it will sometimes get in a loop of out of sync
connection attempts requiring manually logging into both ends to fix,
and complex routing is always fun.  It is more designed to be always up
and available rather than on/off.  Zebedee however can handle most
scenarios quite well, including a server behind a firewall where it can
call out to the client.

BillK

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Etaoin Shrdlu]

On Tuesday 12 February 2008, Grant wrote:

  Use SSH if you need a quick ad-hoc connection or something
  temporary. Use OpenVPN if you need something more permanent that is
  always prsent and just works.

 I need temporary, but automated.  Can an ssh tunnel be set up in an
 automated way?

Of course, especially if you set up public key authentication.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[William Kenworthy]

On Tue, 2008-02-12 at 19:30 +0200, Alan McKinnon wrote:
 On Tuesday 12 February 2008, Etaoin Shrdlu wrote:
  On Tuesday 12 February 2008, Alan McKinnon wrote:
   Your statement it seems like running SSH inside a VPN is better
   for security than running SSH on a non-standard port is
   non-sensical. From a security and encryption perspective, ssh and
   OpenVPN are exactly the same thing - stuff wrapped in an encryption
   layer provided by ssl, complete with exactly the same key setup
   should you choose to use that route.
 
  Perhaps confusingly, ssh itself can be used to create openVPN-like
  VPNs (actually, much simpler), using the -w option and a couple of
  tun (or tap) interfaces on the connected computers.
 
 hehehe, I'd forgetten about that one for a bit :-)
 
 I just thought of a nice way to describe the difference (seeing as 
 technically they are essentially equivalent):
 
 Use SSH if you need a quick ad-hoc connection or something temporary.
 Use OpenVPN if you need something more permanent that is always prsent 
 and just works.
 
 -- 
 Alan McKinnon
 alan dot mckinnon at gmail dot com
 

Another alternative not mentioned so far - zebedee.  Its a port based
tunnel - that is instead of creating a new network with all its fuss and
bother, just create a local port (may be on another local machine) that
surfaces on a distant machine/network.  I used it for many years for
email and protecting telnet servers before openvpn became of age and my
needs expanded.  Recommended.  Again, ssh can do this as well, but
zebedee is a lot more flexible/convenient.  Create tunnels for ports 25,
143 and 631 and you have email and cups.  e.g., I map port 2225 to port
25 and set my local mail client to send email to localhost:2225 and it
magicly connects to my mail server at home.

It can also be done at a user level - you dont need admin privileges so
if you have user level access to a machine, you can run a tunnel on it
unlike openvpn. It is also cross platform which is nice :)

From the mailing list, it seems there are quite a few enterprise users
as its got a good reputation in its niche.

BillK


-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Eric Martin]

Grant wrote:

 I'm hoping to use the vpn in three few ways:

 1. imap and smtp between my laptop and the mail server
 2. ssh from my laptop to the remote server
 3. cups printing from the remote server to the print server
  

I don't think you need a VPN to SSH from your laptop to the remote
server -- SSH is already encrypted.



For sure, but it seems like running SSH inside a VPN is better for
security than running SSH on a non-standard port or even port
knocking.  If I need to set up a VPN for printing, shouldn't I use it
for other stuff too?  Maybe not, I have yet to actually use a VPN so
please correct me if I'm wrong.

  
SSH + Public/Private Keys.  I don't accept passwords on my box, you need 
to have a correct account name and a private key for that machine to 
even think about talking to you.  The only authentication method is 
PubKeyAuth; everything else is NO.

If your laptop is always behind your local firewall, then it should be
sufficient to have an OpenVPN tunnel established between your local
firewall/print server and your remote server. This should allow you to
print.

Configuring the routes on your laptop to go through your local
firewall and VPN to the remote server should allow you to grab your
mail.

If you move around with your laptop then you'll need to establish the
VPN tunnel to your remote server anytime you need to grab your mail
from anywhere else but home (behind your local firewall).



Ah, tunnels, OK.  I need to think in terms of tunnels.  I'll
definitely be moving around and won't be behind my local firewall too
much of the time.  Can I set up the openvpn server on my remote system
and keep a tunnel open between it and the firewall/print server for
printing, and also initiate a tunnel between the laptop and the remote
system whenever I need to mail or SSH?  Does that sound like a good
plan?

- Grant
  
The other thing you can do is run ssh and use tunneling to run printing 
over.  Granted it's kind of a pita for more stuff, but it's a poor man's 
vpn.  (and what I use to view my webservers at home)


Eric
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Dan Farrell]

On Tue, 12 Feb 2008 19:42:44 +0200
Alan McKinnon [EMAIL PROTECTED] wrote:

  What about having ssh, imap, smtp, cups, and possibly a non-standard
  https port all hidden within a VPN?  Should that be considered a
  benefit of running a VPN?  

One other thought about ssh+vpn, if you have VPN problems (for example,
the server goes down or you can't route to the subnet (if, say, you
were on a local subnet with the same address it gets hairy) you can
still get in with SSH.  
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Etaoin Shrdlu]

On Tuesday 12 February 2008, Alan McKinnon wrote:

  Perhaps confusingly, ssh itself can be used to create openVPN-like
  VPNs (actually, much simpler), using the -w option and a couple of
  tun (or tap) interfaces on the connected computers.

 hehehe, I'd forgetten about that one for a bit :-)

 I just thought of a nice way to describe the difference (seeing as
 technically they are essentially equivalent):

Well, almost. Ssh uses TCP, so a ssh-based VPN might encounter problems 
due to the notorious TCP-over-TCP issue (though I never had a problem, 
but I have a fast connection, so I might just be lucky), whereas OpenVPN 
uses UDP (by default at least) and thus must implement its own protocol 
for reliability and recovery. Both solutions introduce a certain amount 
of overhead, although I could not say which one is larger (perhaps 
OpenVPN?).
(Well, actually every kind of VPN introduces some overhead, but that's 
another story.)
From the point of view of the way virtual (tun/tap) interfaces are used, 
they are mostly the same, with OpenVPN designed to scale better when 
many connections are needed.

Some considerations apply to both, for example that using bridged mode 
might rapidly produce a lot of traffic on the link if more than few 
machines are connected (especially if they are windows machines), so it 
should be avoided for large setups.

 Use SSH if you need a quick ad-hoc connection or something temporary.
 Use OpenVPN if you need something more permanent that is always prsent
 and just works.

100% agree :-)
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Alan McKinnon]

On Tuesday 12 February 2008, Grant wrote:
  Even if you just want to encrypt some clear-text protocol that
  doesn't have an encrypted equivalent, a vpn is still overkill. For
  that you use ssh tunneling (which is essentially the same thing as
  an encrypted version of a protocol). 'ssh -X' is the classic
  example of easily tunneling a protocol that doesn't have a native
  encrypted equivalent.

 I see what you're saying.  Can tunneling through ssh be made
 automatic so that a cron job initiates a script that opens a tunnel
 between the remote server and local print server and pages are
 printed through the tunnel?

Sure. ssh is just a process after all and in principle encapsulated 
whatever gets put into it. All you need is a connection that isn't 
firewalled out and an sshd that is listening to what is coming in.

ssh will even port forward for you and can be made to transform any tcp 
connection to appear to come from whatever port you want. What you put 
inside the tunnel is up to you. If the print server won't accept what 
is coming in, then google will find you any number of apps that will 
mangle the traffic.

  Your statement it seems like running SSH inside a VPN is better
  for security than running SSH on a non-standard port is
  non-sensical. From a security and encryption perspective, ssh and
  OpenVPN are exactly the same thing - stuff wrapped in an encryption
  layer provided by ssl, complete with exactly the same key setup
  should you choose to use that route.

 What about having ssh, imap, smtp, cups, and possibly a non-standard
 https port all hidden within a VPN?  Should that be considered a
 benefit of running a VPN?

I've filed the original post somewhere else and forgot the scenario :-)
Is this a setup you need to be present often or even all the time? If 
so, you have 5 protocols in use, and setting up tunnels could become 
cumbersome. You might consider that it's more effort than it's worth 
and a VPN that is there and JustWorks(tm) is preferable. I would call 
that a sensible use of a VPN :-)

I don't think there's a golden rule about when using a VPN is right or 
wrong. It's more like do the advantages outweigh the hassle of setting 
it up and maintaining it?. Sometimes this answer is obvious, sometimes 
less so. Sometimes it's a judgement call.

Side note: I'm starting to consider that even the most whacky, bizarre 
and stupid use of OpenVPN is preferable to the heartache and pain 
involved with trying to get IPSec working as designed

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

   Your statement it seems like running SSH inside a VPN is better
   for security than running SSH on a non-standard port is
   non-sensical. From a security and encryption perspective, ssh and
   OpenVPN are exactly the same thing - stuff wrapped in an encryption
   layer provided by ssl, complete with exactly the same key setup
   should you choose to use that route.
 
  Perhaps confusingly, ssh itself can be used to create openVPN-like
  VPNs (actually, much simpler), using the -w option and a couple of
  tun (or tap) interfaces on the connected computers.

 hehehe, I'd forgetten about that one for a bit :-)

 I just thought of a nice way to describe the difference (seeing as
 technically they are essentially equivalent):

 Use SSH if you need a quick ad-hoc connection or something temporary.
 Use OpenVPN if you need something more permanent that is always prsent
 and just works.

I need temporary, but automated.  Can an ssh tunnel be set up in an
automated way?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Alan McKinnon]

On Tuesday 12 February 2008, Etaoin Shrdlu wrote:
 On Tuesday 12 February 2008, Alan McKinnon wrote:
  Your statement it seems like running SSH inside a VPN is better
  for security than running SSH on a non-standard port is
  non-sensical. From a security and encryption perspective, ssh and
  OpenVPN are exactly the same thing - stuff wrapped in an encryption
  layer provided by ssl, complete with exactly the same key setup
  should you choose to use that route.

 Perhaps confusingly, ssh itself can be used to create openVPN-like
 VPNs (actually, much simpler), using the -w option and a couple of
 tun (or tap) interfaces on the connected computers.

hehehe, I'd forgetten about that one for a bit :-)

I just thought of a nice way to describe the difference (seeing as 
technically they are essentially equivalent):

Use SSH if you need a quick ad-hoc connection or something temporary.
Use OpenVPN if you need something more permanent that is always prsent 
and just works.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Etaoin Shrdlu]

On Tuesday 12 February 2008, Alan McKinnon wrote:

 Your statement it seems like running SSH inside a VPN is better for
 security than running SSH on a non-standard port is non-sensical.
 From a security and encryption perspective, ssh and OpenVPN are
 exactly the same thing - stuff wrapped in an encryption layer provided
 by ssl, complete with exactly the same key setup should you choose to
 use that route.

Perhaps confusingly, ssh itself can be used to create openVPN-like VPNs 
(actually, much simpler), using the -w option and a couple of tun (or 
tap) interfaces on the connected computers.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Alan McKinnon]

On Tuesday 12 February 2008, Grant wrote:
  I don't think you need a VPN to SSH from your laptop to the remote
  server -- SSH is already encrypted.

 For sure, but it seems like running SSH inside a VPN is better for
 security than running SSH on a non-standard port or even port
 knocking.  If I need to set up a VPN for printing, shouldn't I use it
 for other stuff too?  Maybe not, I have yet to actually use a VPN so
 please correct me if I'm wrong.

The name tells you everything you need to know.

vpn is Virtual Private *Network*. If you would normally have a dedicated 
line between this place and that place to form a network, but this is 
too expensive so you use the internet instead, then you use a vpn. Why? 
Because the internet is a public pathway and you don't want your stuff 
out in the open.

If you want a client machine somewhere to connect to a server machine 
somewhere else, then this is normal internet connectivity and vpn is 
the wrong thing. If you want the client machine to be part of the same 
network the server is on so that lots of stuff works the way it does in 
the office itself, then vpn is the correct thing.

Even if you just want to encrypt some clear-text protocol that doesn't 
have an encrypted equivalent, a vpn is still overkill. For that you use 
ssh tunneling (which is essentially the same thing as an encrypted 
version of a protocol). 'ssh -X' is the classic example of easily 
tunneling a protocol that doesn't have a native encrypted equivalent.

Your statement it seems like running SSH inside a VPN is better for 
security than running SSH on a non-standard port is non-sensical. From 
a security and encryption perspective, ssh and OpenVPN are exactly the 
same thing - stuff wrapped in an encryption layer provided by ssl, 
complete with exactly the same key setup should you choose to use that 
route.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

   I don't think you need a VPN to SSH from your laptop to the remote
   server -- SSH is already encrypted.
 
  For sure, but it seems like running SSH inside a VPN is better for
  security than running SSH on a non-standard port or even port
  knocking.  If I need to set up a VPN for printing, shouldn't I use it
  for other stuff too?  Maybe not, I have yet to actually use a VPN so
  please correct me if I'm wrong.

 The name tells you everything you need to know.

 vpn is Virtual Private *Network*. If you would normally have a dedicated
 line between this place and that place to form a network, but this is
 too expensive so you use the internet instead, then you use a vpn. Why?
 Because the internet is a public pathway and you don't want your stuff
 out in the open.

 If you want a client machine somewhere to connect to a server machine
 somewhere else, then this is normal internet connectivity and vpn is
 the wrong thing. If you want the client machine to be part of the same
 network the server is on so that lots of stuff works the way it does in
 the office itself, then vpn is the correct thing.

 Even if you just want to encrypt some clear-text protocol that doesn't
 have an encrypted equivalent, a vpn is still overkill. For that you use
 ssh tunneling (which is essentially the same thing as an encrypted
 version of a protocol). 'ssh -X' is the classic example of easily
 tunneling a protocol that doesn't have a native encrypted equivalent.

I see what you're saying.  Can tunneling through ssh be made automatic
so that a cron job initiates a script that opens a tunnel between the
remote server and local print server and pages are printed through the
tunnel?

 Your statement it seems like running SSH inside a VPN is better for
 security than running SSH on a non-standard port is non-sensical. From
 a security and encryption perspective, ssh and OpenVPN are exactly the
 same thing - stuff wrapped in an encryption layer provided by ssl,
 complete with exactly the same key setup should you choose to use that
 route.

What about having ssh, imap, smtp, cups, and possibly a non-standard
https port all hidden within a VPN?  Should that be considered a
benefit of running a VPN?

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Alan McKinnon]

On Monday 11 February 2008, Grant wrote:

 The second guide deals with bridging and the first does not.  Should
 I be setting up bridging?  The first guide seems simpler.  Should I
 be OK with that one?  I'd hate to dig into one of them and then find
 out I should have chosen the other.

 - Grant

IMHO you should always go with routed first, then bridged if you need 
it.

Ask yourself this question: do you really need ethernet traffic to go 
through the vpn? There are cases where it could be useful, but I'm hard 
pressed to find a general case.

With a routed vpn, you work with IP addresses, just like you do on the 
internet.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Mike Mazur]

Hi Grant,

On Tue, Feb 12, 2008 at 5:41 AM, Grant [EMAIL PROTECTED] wrote:
  I'm hoping to use the vpn in three few ways:

  1. imap and smtp between my laptop and the mail server
  2. ssh from my laptop to the remote server
  3. cups printing from the remote server to the print server

I don't think you need a VPN to SSH from your laptop to the remote
server -- SSH is already encrypted.

If your laptop is always behind your local firewall, then it should be
sufficient to have an OpenVPN tunnel established between your local
firewall/print server and your remote server. This should allow you to
print.

Configuring the routes on your laptop to go through your local
firewall and VPN to the remote server should allow you to grab your
mail.

If you move around with your laptop then you'll need to establish the
VPN tunnel to your remote server anytime you need to grab your mail
from anywhere else but home (behind your local firewall).

On Tue, Feb 12, 2008 at 5:53 AM, Alan McKinnon [EMAIL PROTECTED] wrote:
  IMHO you should always go with routed first, then bridged if you need
  it.

  Ask yourself this question: do you really need ethernet traffic to go
  through the vpn? There are cases where it could be useful, but I'm hard
  pressed to find a general case.

  With a routed vpn, you work with IP addresses, just like you do on the
  internet.

As Alan said, try going with routed first.

Also, think about whether you really need this. As mentioned above,
SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be
encrypted too. That leaves printing, for which you could use VPN.

Have fun!
Mike
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

   I'm hoping to use the vpn in three few ways:
 
   1. imap and smtp between my laptop and the mail server
   2. ssh from my laptop to the remote server
   3. cups printing from the remote server to the print server

 I don't think you need a VPN to SSH from your laptop to the remote
 server -- SSH is already encrypted.

For sure, but it seems like running SSH inside a VPN is better for
security than running SSH on a non-standard port or even port
knocking.  If I need to set up a VPN for printing, shouldn't I use it
for other stuff too?  Maybe not, I have yet to actually use a VPN so
please correct me if I'm wrong.

 If your laptop is always behind your local firewall, then it should be
 sufficient to have an OpenVPN tunnel established between your local
 firewall/print server and your remote server. This should allow you to
 print.

 Configuring the routes on your laptop to go through your local
 firewall and VPN to the remote server should allow you to grab your
 mail.

 If you move around with your laptop then you'll need to establish the
 VPN tunnel to your remote server anytime you need to grab your mail
 from anywhere else but home (behind your local firewall).

Ah, tunnels, OK.  I need to think in terms of tunnels.  I'll
definitely be moving around and won't be behind my local firewall too
much of the time.  Can I set up the openvpn server on my remote system
and keep a tunnel open between it and the firewall/print server for
printing, and also initiate a tunnel between the laptop and the remote
system whenever I need to mail or SSH?  Does that sound like a good
plan?

- Grant


   IMHO you should always go with routed first, then bridged if you need
   it.
 
   Ask yourself this question: do you really need ethernet traffic to go
   through the vpn? There are cases where it could be useful, but I'm hard
   pressed to find a general case.
 
   With a routed vpn, you work with IP addresses, just like you do on the
   internet.

 As Alan said, try going with routed first.

 Also, think about whether you really need this. As mentioned above,
 SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be
 encrypted too. That leaves printing, for which you could use VPN.

 Have fun!
 Mike
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[W.Kenworthy]

I do this with my work printer - the printer is locked down to a local
network - I can print from locked out offices/labs anywhere (and even
from home, picking up the printouts when I arrive - convenient!)

I also transfer sometimes large files (using scp) and run ssh sessions
and imap/smtp mail all through the same tunnel(s) - I actually use two
in series with a convenient host in between to get around some local
routing issues.  All can be transparent and just work.  scp can
sometimes be a pain with slow speeds but its dependent on network
conditions external to the tunnel - i.e., some external conditions cause
interactions that affect packet sizes/latency within the tunnel - doesnt
happen often though.

Routing is often an issue (particularly to  networks a few hops away on
the inside) - ospf (quagga) was the solution, though RIP is probably
easier/better for this

The downside - gentoos openvpn and networking design is ok for simple
setups, but has to be overidden when getting complex.  Can be fragile
when design changes are taking place - breaks when you least expect it
like when they introduced the bind flag into the init.d script (gr)

Note that you need sympathetic or pliable IT staff if its a workplace -
helps to have them onside if you are going to bypass their security
policies for your own benefit!

BillK


On Mon, 2008-02-11 at 19:44 -0600, Dan Farrell wrote:
 On Mon, 11 Feb 2008 16:00:49 -0800
 Grant [EMAIL PROTECTED] wrote:
 
   You can print from your laptop to your printer at home while
   overseas, for example.  
 
 Sounds very convenient ; ) 
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Dan Farrell]

On Mon, 11 Feb 2008 16:00:49 -0800
Grant [EMAIL PROTECTED] wrote:

  You can print from your laptop to your printer at home while
  overseas, for example.  

Sounds very convenient ; ) 
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Grant]

 I'm hoping to use the vpn in three few ways:

  1. imap and smtp between my laptop and the mail server
  2. ssh from my laptop to the remote server
  3. cups printing from the remote server to the print server
   
I don't think you need a VPN to SSH from your laptop to the remote
server -- SSH is already encrypted.
 
   For sure, but it seems like running SSH inside a VPN is better for
   security than running SSH on a non-standard port or even port
   knocking.  If I need to set up a VPN for printing, shouldn't I use it
   for other stuff too?  Maybe not, I have yet to actually use a VPN so
   please correct me if I'm wrong.

 There are other ways to make SSH more secure. For example, you could

But what's wrong with this one? :)  Honestly though, why would any of
those methods be preferred to openvpn?

 only enable PubkeyAuthentication while disabling all other methods of
 Authentication, then use a large (4096-bit?) key pair with a strong
 passphrase[1] and use keychain[2] so you don't have to type in the
 passphrase all the time. OK, I'm exaggerating a bit with those
 passwords from GRC, but you get the idea.

 [1] https://www.grc.com/passwords.htm
 [2] http://www.gentoo.org/proj/en/keychain/

 Also keep in mind the added overhead with OpenVPN -- your encrypted
 SSH traffic is again encrypted by the VPN.

Is this significant?  Would my SSH latency be increased, the system
slowed down, or both?

If your laptop is always behind your local firewall, then it should be
sufficient to have an OpenVPN tunnel established between your local
firewall/print server and your remote server. This should allow you to
print.
   
Configuring the routes on your laptop to go through your local
firewall and VPN to the remote server should allow you to grab your
mail.
   
If you move around with your laptop then you'll need to establish the
VPN tunnel to your remote server anytime you need to grab your mail
from anywhere else but home (behind your local firewall).
 
   Ah, tunnels, OK.  I need to think in terms of tunnels.  I'll
   definitely be moving around and won't be behind my local firewall too
   much of the time.  Can I set up the openvpn server on my remote system
   and keep a tunnel open between it and the firewall/print server for
   printing, and also initiate a tunnel between the laptop and the remote
   system whenever I need to mail or SSH?  Does that sound like a good
   plan?

 Yep, that should work. With a 'permanent' tunnel established between
 your remote server and your local firewall/print server, you'll always
 have access to those too simply by connecting via VPN to your remote
 server. You can print from your laptop to your printer at home while
 overseas, for example.

Nice, thanks Mike.

- Grant
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] OpenVPN setup

[Mike Mazur]

Hi Grant,

On Tue, Feb 12, 2008 at 8:11 AM, Grant [EMAIL PROTECTED] wrote:
I'm hoping to use the vpn in three few ways:
   
 1. imap and smtp between my laptop and the mail server
 2. ssh from my laptop to the remote server
 3. cups printing from the remote server to the print server
  
   I don't think you need a VPN to SSH from your laptop to the remote
   server -- SSH is already encrypted.

  For sure, but it seems like running SSH inside a VPN is better for
  security than running SSH on a non-standard port or even port
  knocking.  If I need to set up a VPN for printing, shouldn't I use it
  for other stuff too?  Maybe not, I have yet to actually use a VPN so
  please correct me if I'm wrong.

There are other ways to make SSH more secure. For example, you could
only enable PubkeyAuthentication while disabling all other methods of
Authentication, then use a large (4096-bit?) key pair with a strong
passphrase[1] and use keychain[2] so you don't have to type in the
passphrase all the time. OK, I'm exaggerating a bit with those
passwords from GRC, but you get the idea.

[1] https://www.grc.com/passwords.htm
[2] http://www.gentoo.org/proj/en/keychain/

Also keep in mind the added overhead with OpenVPN -- your encrypted
SSH traffic is again encrypted by the VPN.

   If your laptop is always behind your local firewall, then it should be
   sufficient to have an OpenVPN tunnel established between your local
   firewall/print server and your remote server. This should allow you to
   print.
  
   Configuring the routes on your laptop to go through your local
   firewall and VPN to the remote server should allow you to grab your
   mail.
  
   If you move around with your laptop then you'll need to establish the
   VPN tunnel to your remote server anytime you need to grab your mail
   from anywhere else but home (behind your local firewall).

  Ah, tunnels, OK.  I need to think in terms of tunnels.  I'll
  definitely be moving around and won't be behind my local firewall too
  much of the time.  Can I set up the openvpn server on my remote system
  and keep a tunnel open between it and the firewall/print server for
  printing, and also initiate a tunnel between the laptop and the remote
  system whenever I need to mail or SSH?  Does that sound like a good
  plan?

Yep, that should work. With a 'permanent' tunnel established between
your remote server and your local firewall/print server, you'll always
have access to those too simply by connecting via VPN to your remote
server. You can print from your laptop to your printer at home while
overseas, for example.

Mike
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] openvpn and nfsmount

[Eric Martin]

 And NFS, well, it's NFS. I don't love it, but I've used NFS exports from a
 14.k modem... So... maybe
 he is having internet issues, router issues, firewall issues, compilation
 issues... but OpenVPN and
 NFS, given a relatively good network environment, work more than OK.


I would still use tcp rather than UDP for NFS if I was going to mount it
over a slow network.  I did some benchmarks for my wireless and wired
network and TCP clearly beats UDP on files over 1MB.  I know the wireless
limitations have something to do with it as well, but it's my $0.02.

Re: [gentoo-user] openvpn and nfsmount

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Eric Martin wrote:
 I would still use tcp rather than UDP for NFS if I was going to mount it
 over a slow network.  I did some benchmarks for my wireless and wired
 network and TCP clearly beats UDP on files over 1MB.  I know the
 wireless limitations have something to do with it as well, but it's my
 $0.02.

OpenVPN transports over UDP (or TCP, but it's not recommended, there is a paper 
about TCP
encapsulation over TCP).

- --
Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1zPjAlpOsGhXcE0RCgdAAJ9CaBk4jBemiI6zzVbTBq2l7csgfwCfbxrn
CI2KgpQ3gBBRW6Ghb1MLVYQ=
=2OkK
-END PGP SIGNATURE-
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] openvpn and nfsmount

[Cipher van Byte]

It isn't good idea to mount nfs over openvpn. Both are highly unstable. 
You should try openssh and it's simple tunnel and ftp over it or any other

networked file system. If you really need to use nfs set it to use tcp.

--
Morpheus: No, what happened, happened and couldn't have happened any
other way.

On Tue, 28 Aug 2007, Patrick Holthaus wrote:


Hello!

I am having difficulties in setting up nfs with my laptop. I have an openvpn
server running at home that can be reached via dynamic dns from the outside
world. Now i would like to mount my nfs exports from everywhere I am. These
exports are only available in the vpn subnet (10.8.0.*).
There are basically three scenarios (all via net.wlan0):

1. Home:
- Direct connection to the openvpn server with a static private IP adress
(192.168.1.xxx)
- ESSID is fixed (e.g. home)
- The openvpn service can be started via /etc/init.d/openvpn.home start (it
is properly configured via /etc/openvpn/home.conf
- After that net.tap0 can be started and gets an ip adress inside the vpn
(e.g. 10.8.0.100) if i have the following in /etc/conf.d/net:


config_tap0=( dhcp )
mac_tap0=00:FF:22:33:44:55
RC_NEED_tap0=openvpn.home


2. Remote:
- Connection via internet
- This time the openvpn service has to be started
via /etc/init.d/openvpn.remote start (because the config for that resides
in /etc/openvpn/remote.conf)
- You see that i have to change a line in /etc/conf.d/net to get things to
work:


config_tap0=( dhcp )
mac_tap0=00:FF:22:33:44:55
RC_NEED_tap0=openvpn.remote



Question is: Can I avoid changing these lines everytime I travel around?

3. Remote via vpnc:
- Connection via internet (so openvpn.remote has to be used)
- ESSID fixed (e.g. unibi)
- Additionally: The vpnc service (/etc/init.d/vpnc.uni) has to be active

Second question: Can I start the vpnc service by knowing the ESSID of my
wireless network, and if I can: how?

Thanks for your time
Patrick


--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] openvpn and nfsmount

[Dan Farrell]

On Wed, 29 Aug 2007 21:18:47 +0200 (CEST)
Cipher van Byte [EMAIL PROTECTED] wrote:

 It isn't good idea to mount nfs over openvpn. Both are highly
 unstable. 

Openvpn is highly unstable?  really?  mine's been up for days.  

NFS is highly unstable?  Hardly.  Perhaps you mean that it's unstable
over openvpn, especially with UDP whose retransmission for slow links
like the internet isn't optimal.  

Nevertheless I've used this many times before, and although realtime
performance isn't especially good, I certainly wouldn't go so far as to
call it unstable.  

Any feedback?
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] openvpn and nfsmount

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dan Farrell wrote:
 Nevertheless I've used this many times before, and although realtime
 performance isn't especially good, I certainly wouldn't go so far as to
 call it unstable.  

I've used OpenVPN to interconnect workstations and servers in Argentina, using 
all from Cable
internet to ADSL, and GPRS modems. It rocks.

And NFS, well, it's NFS. I don't love it, but I've used NFS exports from a 14.k 
modem... So... maybe
 he is having internet issues, router issues, firewall issues, compilation 
issues... but OpenVPN and
NFS, given a relatively good network environment, work more than OK.

- --
Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1hMeAlpOsGhXcE0RCgK2AJ9XX9CccDDyoLAv7Qdv1VCiGeEt4ACfbFLV
xCbgUiIH5vrEEs4nyh8bW3w=
=MHR/
-END PGP SIGNATURE-
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Openvpn configuration

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jason Carson wrote:
 What I don't know what to do is what goes after ifconfig... 66.11.182.5 is
 my servers ip address to the external world (eth0). 192.168.0.1 is the
 internal network (eth1) address. What do I put after ifconfig?

Go to www.openvpn.net and read the documentation. What you say about ifconfig 
has nothing to do with
how openvpn works. If you need further help, contact me offlist. I've been 
openvpn-ing for a number
of years now :)

- --
Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica
*ESTE SABADO 18/Ago* SHOW DE FUTURABANDA (Punk Libre)- Sarmiento 1679 CapFed
Entradas anticipadas a traves de www.futurabanda.com.ar - Punk Rock Melodico
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGxmnfAlpOsGhXcE0RCuZxAJ43hvk9IU5vPw3VcyCflt6q88ejfgCeLZbE
i/xrUsO5zSPlawGZ/dKksSg=
=HJ1s
-END PGP SIGNATURE-
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] OpenVPN and DHCP

[Thomas Rösner]

Hi,

Patrick Holthaus schrieb:

Hello everybody!

Maybe this is a bit Off-Topic here, but maybe some of you like to help me 
anyway.


I am trying to build a VPN network where the clients get their IP adresses 
from a local DHCP server (because it should notify the nameserver of the 
clients). The VPN should have its own adress pool 10.8.0.* while the 
unsecured clients in the server's LAN should get an 192.168.1.* adress.


I got the VPN working but the clients do appearently not get their IP from the 
DHCP server but some random IP from the OpenVPN server. (The DHCP server only 
assignes 10.8.0.100-200 adresses but the clients get .8 or .10 for example)


Now my questions are:
Do I need bridging for making the DHCP server work in the VPN?
  


Yes. DHCP is an ethernet protocol. DHCP over IP wouldn't make much 
sense, would it? To use your existing DHCP Server you need OSI Layer 2 
VPN connections (TAP devices).



How should the configuration files look like?
  


Uhm, in your testing files, you try to configure IP's on a tap device? I 
think you mix the concepts up here. If you have a tap tunnel, your 
client sends ethernet frames to the server, who, when properly bridged, 
sends them to a local LAN, and vice versa. No IP involved on that level, 
you could use IPX or SCTP if you wanted. The only IP you mention in the 
config file is that of the server.


But then a client could connect and use any IP you ask? Well, yes, as in 
any LAN. You can use iptables on the bridge to filter spoofed packets 
out, though.


It's more easy and faster to stick with Layer3 vpn, though.

Regards and HTH,
   Thomas
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenVPN and DHCP

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Patrick Holthaus wrote:
 Now my questions are:
 Do I need bridging for making the DHCP server work in the VPN?
 How should the configuration files look like?

I don't think you can do it, because the openvpn client needs an IP provided by 
the OpenVPN server
software to obtain the tunnel. If you want OpenVPN to provide a certain subnet 
range for your
openvpn clients, then check out:

- --server network netmask
A helper directive designed to simplify the configuration of OpenVPN's 
server mode. This
directive will set up an OpenVPN server which will allocate addresses to 
clients out of the given
network/netmask. The server itself will take the .1 address of the given 
network for use as the
server-side endpoint of the local TUN/TAP interface.

For example, --server 10.8.0.0 255.255.255.0 expands as follows:

 mode server
 tls-server
 push topology [topology]

 if dev tun AND (topology == net30 OR topology == p2p):
   ifconfig 10.8.0.1 10.8.0.2
   ifconfig-pool 10.8.0.4 10.8.0.251
   route 10.8.0.0 255.255.255.0
   if client-to-client:
 push route 10.8.0.0 255.255.255.0
   else if topology == net30:
 push route 10.8.0.1

 if dev tap OR (dev tun AND topology == subnet):
   ifconfig 10.8.0.1 255.255.255.0
   ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
   push route-gateway 10.8.0.1


Don't use --server if you are ethernet bridging. Use --server-bridge 
instead.
- --server-bridge gateway netmask pool-start-IP pool-end-IP

A helper directive similar to --server which is designed to simplify the 
configuration of
OpenVPN's server mode in ethernet bridging configurations.

To configure ethernet bridging, you must first use your OS's bridging 
capability to bridge the
TAP interface with the ethernet NIC interface. For example, on Linux this is 
done with the brctl
tool, and with Windows XP it is done in the Network Connections Panel by 
selecting the ethernet and
TAP adapters and right-clicking on Bridge Connections.

Next you you must manually set the IP/netmask on the bridge interface. The 
gateway and netmask
parameters to --server-bridge can be set to either the IP/netmask of the bridge 
interface, or the
IP/netmask of the default gateway/router on the bridged subnet.

Finally, set aside a IP range in the bridged subnet, denoted by 
pool-start-IP and pool-end-IP,
for OpenVPN to allocate to connecting clients.

For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 
expands as follows:

mode server
tls-server

ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
push route-gateway 10.8.0.4


[taken from: http://openvpn.net/man.html no Named Anchors there...]

- --
Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica
Enigform for Firefox: A secure browsing experience: http://enigform.mozdev.org
Mail Hosting Seguro y Consultoria - http://www.buanzo.com.ar/pro/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+9NiAlpOsGhXcE0RCrNbAJ924t72yJMexav/3YESNXHziZm4OACeJy6s
tLlNylW4KHjPt4ngjest/jE=
=gIhv
-END PGP SIGNATURE-
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn multiple tunnels

[Manuel McLure]

 Used to be you could have multiple tunnels open with vpn.  when it changed
 to
 require /etc/openvpn/openvpn.conf, instead of launching all the tunnels, i
 can no longer figure out how to open multiple tunnels.  the docs seem to
 mention an /etc/conf.d/openvpn file, but that didn't get created on my
 system
 and i can't find any reference to the format/options.  can someone point
 me
 to a readme or howto on how to start a particular tunnel?

What you need to do is create a tunnelname.conf file for your second
tunnel, and then link /etc/init.d/openvpn to /etc/init.d/tunnelname.
Then you can start the second tunnel with either /etc/init.d/tunnelname
start, or by using rc-update to add tunnelname to the runlevel of your
choice. For example:

cp /etc/openvpn/openvpn.conf /etc/openvpn/homevpn.conf
vi /etc/openvpn/homevpn.conf
ln -s openvpn /etc/init.d/homevpn
rc-update add homevpn default
/etc/init.d/homevpn start

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn multiple tunnels

[John Jolet]

 What you need to do is create a tunnelname.conf file for your second
 tunnel, and then link /etc/init.d/openvpn to /etc/init.d/tunnelname.
 Then you can start the second tunnel with either /etc/init.d/tunnelname
 start, or by using rc-update to add tunnelname to the runlevel of your
 choice. For example:

 cp /etc/openvpn/openvpn.conf /etc/openvpn/homevpn.conf
 vi /etc/openvpn/homevpn.conf
 ln -s openvpn /etc/init.d/homevp
 rc-update add homevpn default
 /etc/init.d/homevpn start
ah!  okay, so it works kinda like the net.eth0 link to net.lo, then?  i'd seen 
that about creating a link, but i couldn't figure out where that was 
happening.  thanks SO much
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn

[Oliver Friedrich]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Allan Spagnol Comar wrote:

 Hi all, I having some strange problem on my VPN :(

 I had configured openvpn as tunnel server-client; had a tun
 interface .

 I started the open vpn using 10.8.0.0 network and has my private
 net at 192.168.0.0 and the open vpn is running at 192.168.0.230

 I started one client; the client sync receive an IP 10.8.0.5 and
 the route to 192.168.0.0 network;

 Until now everything looks ok, but here is the strange sinc, I can
 ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping
 192.168.0.1 it got connection time out 


There is the Problem, the 10.8.0.0 Network is only for the connection,
your client is on 192.168.0.0 and your server is on 192.168.0.0 too...
so as long as the tunnel exists, your server has two 192.168.0.230,
one localy and one on the other side of the tunnel...

client and server must not be in same subnet, since then the tunnel
can cause IP conflicts.

Sorry for my bad english

Oliver Beowulf Friedrich
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDLd4ecZpid1GuHxcRArn5AKDGMdtppI8iDI2KLccWnBax5Gc33gCg0Eix
Ta4t0uJ1UMWLhyLm/SaX1rM=
=CDSa
-END PGP SIGNATURE-

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn

[Scott Storck]

Hi Allan,

Allan Spagnol Comar schrieb:


Hi all, I having some strange problem on my VPN :(

I had configured openvpn as tunnel server-client; had a tun interface .

I started the open vpn using 10.8.0.0 network and has my private net
at 192.168.0.0 and the open vpn is running at 192.168.0.230

I started one client; the client sync receive an IP 10.8.0.5 and the
route to 192.168.0.0 network;

Until now everything looks ok, but here is the strange sinc, I can
ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping
192.168.0.1 it got connection time out 

I set up the iptables forward at the 192.168.0.230 machine  what
more I have missed ?
anyone had a clue ?

Thanks, Allan

 


If want to access the network of the server from the client,
you need the following things.

(I am going from the top down, so that someone else might be able to 
follow this, and get something out of it.)


When openvpn creates the tunnel, you have a point to point connection, 
between the server and the client.
In your example, you use the 10.8.0.0 network for the server to client, 
point to point connection.
Since you say that you can ping the server on the 10.8.0.0 network, the 
tunnel is most likely working.
You say that the server is in the 192.168.0.0 network, and has the 
192.168.0.230 address.

You also say that a route to the 192.168.0.0 is added on the client machine,
and that you can ping the server on the 192.168.0.0 network using the 
192.168.0.230 address.

So the routing on the client is also fine.

Assuming that you want the client(s) to be seen in the private network 
(192.168.0.0) as being in the 10.8.0.0 network,
you need to add a routing back to the client for the machines in the 
private network..

If your private network has a default gateway,
it is usually the easist to add a route at the default gateway,
saying that the 10.8.0.0 network can be reached over the gateway host 
192.168.0.230 .


The other important thing is to make sure that your open server has 
packet forwarding on.

i.e. net.ipv4.ip_forward = 1 in /etc/sysctl.conf

The best way to test you routing when you think it should be working,
is to do a trace route from a machine in the private network to the 
client when the VPN is up.


MfG,
Scott


--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn

[Scott Storck]

Hi Allan,

Allan Spagnol Comar schrieb:


Hi all, I having some strange problem on my VPN :(

I had configured openvpn as tunnel server-client; had a tun interface .

I started the open vpn using 10.8.0.0 network and has my private net
at 192.168.0.0 and the open vpn is running at 192.168.0.230

I started one client; the client sync receive an IP 10.8.0.5 and the
route to 192.168.0.0 network;

Until now everything looks ok, but here is the strange sinc, I can
ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping
192.168.0.1 it got connection time out 

I set up the iptables forward at the 192.168.0.230 machine  what
more I have missed ?
anyone had a clue ?

Thanks, Allan

 


If want to access the network of the server from the client,
you need the following things.

(I am going from the top down, so that someone else might be able to
follow this, and get something out of it.)

When openvpn creates the tunnel, you have a point to point connection,
between the server and the client.
In your example, you use the 10.8.0.0 network for the server to client,
point to point connection.
Since you say that you can ping the server on the 10.8.0.0 network, the
tunnel is most likely working.
You say that the server is in the 192.168.0.0 network, and has the
192.168.0.230 address.
You also say that a route to the 192.168.0.0 is added on the client machine,
and that you can ping the server on the 192.168.0.0 network using the
192.168.0.230 address.
So the routing on the client is also fine.

Assuming that you want the client(s) to be seen in the private network
(192.168.0.0) as being in the 10.8.0.0 network,
you need to add a routing back to the client for the machines in the
private network..
If your private network has a default gateway,
it is usually the easist to add a route at the default gateway,
saying that the 10.8.0.0 network can be reached over the gateway host
192.168.0.230 .

The other important thing is to make sure that your open server has
packet forwarding on.
i.e. net.ipv4.ip_forward = 1 in /etc/sysctl.conf

The best way to test you routing when you think it should be working,
is to do a trace route from a machine in the private network to the
client when the VPN is up.

MfG,
Scott



--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] openvpn

[capsel]

AFAIK:
packets can not reach destinations in other subnet (except 0.0.0.0)
than the subnet of your IP. You must have assigned an IP address from
same subnet as destination host.

so client can ping all 10 and two sides of server
Please check if you can ping other IP from 192.168.0.0 subnet.

My advice is to fix routing tables... or to set up NAT, or set
everywhere same subnet :)

2005/9/18, Oliver Friedrich [EMAIL PROTECTED]:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Allan Spagnol Comar wrote:
 
  Hi all, I having some strange problem on my VPN :(
 
  I had configured openvpn as tunnel server-client; had a tun
  interface .
 
  I started the open vpn using 10.8.0.0 network and has my private
  net at 192.168.0.0 and the open vpn is running at 192.168.0.230
 
  I started one client; the client sync receive an IP 10.8.0.5 and
  the route to 192.168.0.0 network;
 
  Until now everything looks ok, but here is the strange sinc, I can
  ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping
  192.168.0.1 it got connection time out 
 
 
 There is the Problem, the 10.8.0.0 Network is only for the connection,
 your client is on 192.168.0.0 and your server is on 192.168.0.0 too...
 so as long as the tunnel exists, your server has two 192.168.0.230,
 one localy and one on the other side of the tunnel...
 
 client and server must not be in same subnet, since then the tunnel
 can cause IP conflicts.
 
 Sorry for my bad english
 
 Oliver Beowulf Friedrich
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.1 (GNU/Linux)
 
 iD8DBQFDLd4ecZpid1GuHxcRArn5AKDGMdtppI8iDI2KLccWnBax5Gc33gCg0Eix
 Ta4t0uJ1UMWLhyLm/SaX1rM=
 =CDSa
 -END PGP SIGNATURE-
 
 --
 gentoo-user@gentoo.org mailing list
 


-- 
gentoo-user@gentoo.org mailing list