Re: Tunneling in NetBSD
"Francisco Valladolid H." writes: > I need setup a NetBSD for tunneling (VPN) to my clients, notebooks (windows > or MacBook) maybe cellphone (android). > I’m thinking using L2TP(maybe more standard) or OpenVPN. > > Maybe, ikev2 can be a good choice. Is NetBSD ready for ikev2 (aka > racoon2) ? I used to use IPsec in transport mode with racoon (IKEv1). I do not have the impression the IKEv2 world is easy to deal with these days. My suggestion is openvpn. I have set that up for android and mac clients to use to access the internet from a different address than the one they have, and also avoiding all the crazy firewalls you run into, and it works fine. You do need to set up certificates, and openvpn wants its own, not to use letsencrypt, so if you don't already understand that, it's going to be somewhat tricky. But I did not run into any issues that seem related to NetBSD, so the upstream help should suffice. On android, there is OpenVPN in f-droid, and tunnelblick seems to be the way on macOS. signature.asc Description: PGP signature
firefox52 core dump on RPI2 NetBSD9.1
This is using binary packages from http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/earmv7hf/9.1/All on NetBSD armv7 9.1_STABLE NetBSD 9.1_STABLE (GENERIC) #0: Tue Nov 10 11:45:35 UTC 2020 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/evbarm/compile/GENERIC evbarm #/usr/pkg/bin/firefox52 Assertion failure: !joinable(), at /scratch/work/www/firefox52/work/firefox-52.9.0esr/js/src/threading/Thread.h:122 Segmentation fault (core dumped) gdb where output snipped similar lines: ... BFD: /usr/pkg/lib/libdbus-glib-1.so.2: invalid string offset 9426 >= 2737 for section `.strtab' BFD: /usr/pkg/lib/libdbus-glib-1.so.2: invalid string offset 3088 >= 2737 for section `.strtab' BFD: /usr/pkg/lib/libdbus-glib-1.so.2: invalid string offset 2990 >= 2737 for section `.strtab' BFD: /usr/pkg/lib/libdbus-glib-1.so.2: invalid string offset 6196 >= 2737 for section `.strtab' Core was generated by `firefox52'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7bb58c70 in _lwp_kill () from /usr/lib/libc.so.12 [Current thread is 1 (process 1)] (gdb) Any quick workarounds? I need a browser with JS, but preferably firefox, as there are some marionette scripts to automate routine tasks. -- Mayuresh
Re: Tunneling in NetBSD
I had a basic setup, a ARM board. ¿Is OpenVPN suitable for this? Thank you. On Mon 16 Nov 2020 at 6:29 Brad Spencer wrote: > "Francisco Valladolid H." writes: > > > [1:text/plain Hide] > > > > Hi friends. > > > > I need setup a NetBSD for tunneling (VPN) to my clients, notebooks > (windows > > or MacBook) maybe cellphone (android). > > I’m thinking using L2TP(maybe more standard) or OpenVPN. > > > > Maybe, ikev2 can be a good choice. Is NetBSD ready for ikev2 (aka > racoon2) > > ? > > > > Some suggestions for me. > > > > Thank you for reading. > > > Hello... > > I do ikev1 (normal IPsec) and OpenVPN. Around the NetBSD 7.x time > frame, racoon stopped working with MacOS and Shrewsoft VPN on > MS-WINDOWs. I never tried ikev2, but did look into it a while back. I > was very much unconvinced that it would operate. More recently, I have > moved pretty much completely to OpenVPN. It is not hard to set up and > operates pretty much as expected with MS-WINDOWs, Android and NetBSD > itself. Very recently on -current, I have used wg(4) as a client, but > have not tried it in server mode. I hear that L2TP may function, I did > toy with PPTP for a while... > > Honestly, your best bet is probably OpenVPN. > > > > -- > Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org > -- Francisco Valladolid H. -- http://blog.bsdguy.net - Jesus Christ follower.
Re: Tunneling in NetBSD
Greg Troxel wrote: > My suggestion is openvpn. [...] > You do need to set up certificates Not if you use the static key encryption mode. -- Andreas Gustafsson, g...@gson.org
Re: Tunneling in NetBSD
Of course, all clients have to install the VPN client of their choice, as well as well as any certificate or complementary authentication SW/HW tools (e.g. smartcard, OTP tokens). In my experience, small companies often use OpenVPN and large ones (e.g. banks) prefer proprietary solutions such as FortiNet. The VPN client is generally deployed/updated automatically when the laptop is connected to the enterprise network, like any other application. Before COVID, only a few selected people were allowed to connect to the enterprise network through a VPN, but this privilege has now been extended to a much wider population. :) On 16/11/2020 15:07, Andy Ruhl wrote: Just a general question to this thread: How do clients use OpenVPN? Do you have to install it, and is it widely available? My basic research suggests that most clients will have to install it. What about built in VPN clients? Isn't L2TP pretty much standard? Thanks. Andy
Re: Tunneling in NetBSD
Just a general question to this thread: How do clients use OpenVPN? Do you have to install it, and is it widely available? My basic research suggests that most clients will have to install it. What about built in VPN clients? Isn't L2TP pretty much standard? Thanks. Andy
Re: Tunneling in NetBSD
Andy Ruhl writes: > How do clients use OpenVPN? Do you have to install it, and is it > widely available? My basic research suggests that most clients will > have to install it. You are right that most clients need to install something. I installed OpenVPN on Android, available from f-droid (which therefore implies it's actually Free Software) and TunnelBlick on mac (which is more or less the official client). > What about built in VPN clients? Isn't L2TP pretty much standard? Perhaps; if someone has a setup and can post about it that would be interesting. There is another big issue lurking, which is how VPN approaches interact with firefwall traversal. There are a lot of firewalls that block a lot of things out there. I've run into some that block xmpp, including a hospital guest network that was intended, and I suspect that's only because there was a narrow list of allowed ports. Probably I just used tor at the time to get around it. I don't remember all the details, but there are SSL VPNs, VPNs that send datagrams as IPsec, and VPNs that send UDP datagrams. Depending on what you want to do this matters. signature.asc Description: PGP signature
Re: Tunneling in NetBSD
On Mon, Nov 16, 2020 at 7:29 AM Greg Troxel wrote: > There is another big issue lurking, which is how VPN approaches interact > with firefwall traversal. There are a lot of firewalls that block a lot > of things out there. Yes, very much true. I like a layer 4 methods on clients for this reason. They seem to survive NAT. Andy
Bump - Non-functional xfreerdp2 on 8.1 STABLE - missing POSIX timer_create?
Hi all, original questions is now nearly one year old https://mail-index.netbsd.org/pkgsrc-users/2019/12/10/msg029983.html There was no response and I can confirm that problem still exists on 9.1 stable amd64 and evbarm. Are developers at least aware that there is such problem and freerdp2 is not working with newer Windows hosts over RDP? evbarm: $ uname -a NetBSD armv7 9.1_STABLE NetBSD 9.1_STABLE (GENERIC) #0: Tue Nov 10 11:45:35 UTC 2020 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/evbarm/compile/GENERIC evbarm $ [19:45:51:767] [2861:67ec4000] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state [19:45:51:773] [2861:67ec4000] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr [19:45:51:777] [2861:67ec4000] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd [19:45:51:782] [2861:67ec4000] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [19:45:51:808] [2861:67ec4000] [INFO][com.freerdp.client.x11] - Property 256 does not exist [19:45:51:219] [2861:67ec4000] [INFO][com.freerdp.primitives] - primitives autodetect, using generic [19:45:51:354] [2861:67ec4000] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [19:45:51:355] [2861:67ec4000] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [19:45:53:759] [2861:67ec4000] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate in certificate chain ( Do you trust the above certificate? (Y/T/N) Y [19:45:55:231] [2861:67ec4000] [ERROR][com.winpr.timezone] - StandardName conversion failed - using default [19:45:55:337] [2861:67ec4000] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Undefined error: 0 [19:45:55:337] [2861:67ec4000] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [19:45:55:358] [2861:67ec4000] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [19:45:55:359] [2861:67ec4000] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [19:45:57:497] [2861:67ec4000] [ERROR][com.winpr.timezone] - StandardName conversion failed - using default [19:45:58:607] [2861:67ec4000] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Undefined error: 0 [19:45:58:607] [2861:67ec4000] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [19:45:58:608] [2861:67ec4000] [ERROR][com.freerdp.core] - freerdp_post_connect failed $ pkg_info -c freerdp2 Information for freerdp2-2.1.1: Comment: Free implementation of the Remote Desktop Protocol (major version 2) $ $ date Mon Nov 16 19:53:06 CET 2020 $ $ ntpq -p remote refid st t when poll reach delay offset jitter == 2.netbsd.pool.n .POOL. 16 p- 6400.0000.000 0.002 +mail.spamassass 147.231.2.6 2 u 438 512 377 11.270 -0.135 0.657 *ntp.suas.cz .PHC0. 1 u 475 512 377 11.507 -0.982 0.577 +lhx.cz 147.231.100.52 u 944 512 3768.682 -0.913 1.253 -mail.spamassass 147.231.2.6 2 u 977 512 376 11.642 -0.208 0.651 -time.cloudflare 10.31.8.43 u 723 1024 3778.322 -1.429 0.775 $ DNS, VPN, browser all runs fine regarding time and related things. Not subscribed to lists so please cc
Re: firefox52 core dump on RPI2 NetBSD9.1
On Mon, Nov 16, 2020 at 05:33:55PM +0530, Mayuresh wrote: > BFD: /usr/pkg/lib/libdbus-glib-1.so.2: invalid string offset 9426 >= 2737 for > section `.strtab' How critical is dbus as far as firefox on RPI is concerned? As a quick fix will switching dbus off solve above problem? -- Mayuresh