Re: [Openvpn-devel] Intelligent OpenVPN service?

[Karl O. Pinc]

On 10/18/2010 02:14:19 PM, Jason Haar wrote:
>  On 10/19/2010 07:43 AM, Davide Brini wrote:
> > Sorry for the silly question, but how do you expect the OpenVPN 
> link
> to be
> > established if the computer "does not already have a connection"?
> >
> > What do you mean with the above statement?
> I think he means: if the machine is on the corporate network, then
> don't
> kick off an openvpn connection to the corporate network
> 
> We did that here using firewall trickery. We block access to the
> openvpn
> server ports from the corporate network - that way openvpn can remain
> permanently running on all clients, and it will only work when 
> clients
> connect from non-corporate networks.
> 
> It's a kludge (hard to scale when you have dozens of corporate
> Internet
> address ranges) - what's really needed is a "--pre-connection" option
> -
> so that we can run scripts before the openvpn service even starts.
> Then
> the "pre" script could explicitly check if the corporate network is
> available (eg attempt to download a HTTPS page from an exclusively
> internal server) and error if it is - causing openvpn to not attempt
> to
> make a connection

How would that work if, say, the laptop leaves the building and
loses wireless to the corporate network?   In the setup you
describe all the connections die because the network goes
down. Seems to me it would
be better to always have a open vpn connection but don't
route to it when you're inside the firewall.  Some solution involving
a routing protocol would do this and then established connections 
would not break.

Routing protocols are supposed to deal with paths going up and down,
so why reinvent the wheel?




Karl 
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Jonathan K. Bullard]

You might want to look at the client GUI. For example, Tunnelblick (OS X GUI
which also includes imbedded tun/tap kexts, OpenVPN and OpenSSL binaries)
has just such a "pre-connnection" feature. People can call a script before
OpenVPN is started, and when OpenVPN finishes. It is used to do such things
as unload Cisico AnyVPN tun before running OpenVPN, and reloading it
afterward. Of course, it would be nice to have it be a part of OpenVPN.

On Mon, Oct 18, 2010 at 3:14 PM, Jason Haar wrote:

>  On 10/19/2010 07:43 AM, Davide Brini wrote:
> > Sorry for the silly question, but how do you expect the OpenVPN link to
> be
> > established if the computer "does not already have a connection"?
> >
> > What do you mean with the above statement?
> I think he means: if the machine is on the corporate network, then don't
> kick off an openvpn connection to the corporate network
>
> We did that here using firewall trickery. We block access to the openvpn
> server ports from the corporate network - that way openvpn can remain
> permanently running on all clients, and it will only work when clients
> connect from non-corporate networks.
>
> It's a kludge (hard to scale when you have dozens of corporate Internet
> address ranges) - what's really needed is a "--pre-connection" option -
> so that we can run scripts before the openvpn service even starts. Then
> the "pre" script could explicitly check if the corporate network is
> available (eg attempt to download a HTTPS page from an exclusively
> internal server) and error if it is - causing openvpn to not attempt to
> make a connection
>
> See "2.1 client - how to autorun script post-connect" for further
> comments about why I think a "pre" script option would be a good idea.
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> --
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Daniel Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/18/2010 01:43 PM, Davide Brini wrote:
> Sorry for the silly question, but how do you expect the OpenVPN
> link to be established if the computer "does not already have
> a connection"?
>
> What do you mean with the above statement?
>

Ah, I failed to finish the sentence.  Should read:

===
I want to set up company laptops and remote desktops to use OpenVPN
as a service, but it should *only* connect if the computer does not
already have a connection to our company (such as locally wired or
internal wireless).
===

In other words I don't want this to light up a VPN tunnel when it
is already inside our firewall.

Daniel Johnson
progman2...@usa.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAky8m9MACgkQ6vGcUBY+ge8hmwCfdkycczLNiFmYnWvWQCvOyO0V
sjYAn2R5Sn+fGOAxnW9hMMncTJng6YcH
=Oqjc
-END PGP SIGNATURE-

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Jason Haar]

 On 10/19/2010 07:43 AM, Davide Brini wrote:
> Sorry for the silly question, but how do you expect the OpenVPN link to be
> established if the computer "does not already have a connection"?
>
> What do you mean with the above statement?
I think he means: if the machine is on the corporate network, then don't
kick off an openvpn connection to the corporate network

We did that here using firewall trickery. We block access to the openvpn
server ports from the corporate network - that way openvpn can remain
permanently running on all clients, and it will only work when clients
connect from non-corporate networks.

It's a kludge (hard to scale when you have dozens of corporate Internet
address ranges) - what's really needed is a "--pre-connection" option -
so that we can run scripts before the openvpn service even starts. Then
the "pre" script could explicitly check if the corporate network is
available (eg attempt to download a HTTPS page from an exclusively
internal server) and error if it is - causing openvpn to not attempt to
make a connection

See "2.1 client - how to autorun script post-connect" for further
comments about why I think a "pre" script option would be a good idea.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [Openvpn-devel] Intelligent OpenVPN service?

[Davide Brini]

On Mon, 18 Oct 2010 13:19:53 -0500 "Daniel Johnson" 
wrote:

> I want to set up company laptops and remote desktops to use OpenVPN
> as a service, but it should *only* connect if the computer does not
> already have a connection (such as locally wired or internal
> wireless).

Sorry for the silly question, but how do you expect the OpenVPN link to be
established if the computer "does not already have a connection"?

What do you mean with the above statement?

-- 
D.

Re: [Openvpn-devel] Errors adding routes on Windows 7 with OpenVPN 2.1.3

[Alberto Gonzalez Iniesta]

On Mon, Oct 18, 2010 at 05:50:44PM +0200, Christian Rank wrote:
> Hello,
> 
> we noticed a strange problem with OpenVPN 2.1.3 on a Windows 7 client
> here: The VPN tunnel to an OpenVPN server does no longer work since the
> OpenVPN 2.1.3 software tries to insert many strange routes into the
> Windows 7 routing tables. With OpenVPN 2.1.1, all goes well. Our OpenVPN
> server is running on OpenVPN 2.1_rc15 i686-pc-linux-gnu.
> 
> I have attached the Windows OpenVPN log file (with verbosity 4).
> 
> Maybe this is a bug in the Windows implementation of OpenVPN 2.1.3?
> 

Hi Christian,

It's not a bug in the Windows implementation but in OpenVPN 2.1.3
itself. The bug is reported and it is being worked in.
I think you're using 'remote_host' on your client configuration (or
pushing it from the server). If that's the case, try changing that with
the IP of the VPN server and see if that fixes it in the meantime.

Cheers,

Alberto


-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Re: [Openvpn-devel] Errors adding routes on Windows 7 with OpenVPN 2.1.3

[Arne Schwabe]

Am 18.10.10 17:50, schrieb Christian Rank:
> Hello,
>
> we noticed a strange problem with OpenVPN 2.1.3 on a Windows 7 client
> here: The VPN tunnel to an OpenVPN server does no longer work since the
> OpenVPN 2.1.3 software tries to insert many strange routes into the
> Windows 7 routing tables. With OpenVPN 2.1.1, all goes well. Our OpenVPN
> server is running on OpenVPN 2.1_rc15 i686-pc-linux-gnu.
>
> I have attached the Windows OpenVPN log file (with verbosity 4).
>
> Maybe this is a bug in the Windows implementation of OpenVPN 2.1.3?
>
Without looking through your log, we had similar problems and adding the
def1 option fixed it for us.

Arne

[Openvpn-devel] Errors adding routes on Windows 7 with OpenVPN 2.1.3

[Christian Rank]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

we noticed a strange problem with OpenVPN 2.1.3 on a Windows 7 client
here: The VPN tunnel to an OpenVPN server does no longer work since the
OpenVPN 2.1.3 software tries to insert many strange routes into the
Windows 7 routing tables. With OpenVPN 2.1.1, all goes well. Our OpenVPN
server is running on OpenVPN 2.1_rc15 i686-pc-linux-gnu.

I have attached the Windows OpenVPN log file (with verbosity 4).

Maybe this is a bug in the Windows implementation of OpenVPN 2.1.3?

Thanks in advance for any help,
Christian

- -- 
Dr. Christian Rank
Rechenzentrum Universität Passau
Bereich Netzwerk und Telekommunikation
Innstr. 33
D-94032 Passau
GERMANY
Tel.: 0851/509-1838
Fax:  0851/509-1802
PGP public key see http://www.rz.uni-passau.de/mitarbeiter/rank
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAky8bM8ACgkQICQoVWVVBdXzYQQAlDytBOe1ssO6hgghgd80Kfa5
PY+7NkSLg+0ejCtEv2zLJ28YXf0Up5164celXVY2Hd+xjNXuUNOPezQ5cV2/agAh
ZIR97cfGZx0gDl92E7dwo0enCL23n/fwEnzJD9VkrjJ13eIiKIRhGZO297vSTsL2
jvtBTIMCvxPtKBonmX0=
=WRBl
-END PGP SIGNATURE-
Mon Oct 18 17:37:52 2010 NOTE: --user option is not implemented on Windows
Mon Oct 18 17:37:52 2010 NOTE: --group option is not implemented on Windows
Mon Oct 18 17:37:52 2010 us=32 Current Parameter Settings:
Mon Oct 18 17:37:52 2010 us=32   config = 'pers-ext.ovpn'
Mon Oct 18 17:37:52 2010 us=32   mode = 0
Mon Oct 18 17:37:52 2010 us=32   show_ciphers = DISABLED
Mon Oct 18 17:37:52 2010 us=32   show_digests = DISABLED
Mon Oct 18 17:37:52 2010 us=32   show_engines = DISABLED
Mon Oct 18 17:37:52 2010 us=32   genkey = DISABLED
Mon Oct 18 17:37:52 2010 us=32   key_pass_file = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   show_tls_ciphers = DISABLED
Mon Oct 18 17:37:52 2010 us=32 Connection profiles [default]:
Mon Oct 18 17:37:52 2010 us=32   proto = tcp-client
Mon Oct 18 17:37:52 2010 us=32   local = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   local_port = 0
Mon Oct 18 17:37:52 2010 us=32   remote = '132.231.254.253'
Mon Oct 18 17:37:52 2010 us=32   remote_port = 1198
Mon Oct 18 17:37:52 2010 us=32   remote_float = DISABLED
Mon Oct 18 17:37:52 2010 us=32   bind_defined = DISABLED
Mon Oct 18 17:37:52 2010 us=32   bind_local = DISABLED
Mon Oct 18 17:37:52 2010 us=32   connect_retry_seconds = 15
Mon Oct 18 17:37:52 2010 us=32   connect_timeout = 10
Mon Oct 18 17:37:52 2010 us=32   connect_retry_max = 2
Mon Oct 18 17:37:52 2010 us=32   socks_proxy_server = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   socks_proxy_port = 0
Mon Oct 18 17:37:52 2010 us=32   socks_proxy_retry = DISABLED
Mon Oct 18 17:37:52 2010 us=32 Connection profiles END
Mon Oct 18 17:37:52 2010 us=32   remote_random = DISABLED
Mon Oct 18 17:37:52 2010 us=32   ipchange = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   dev = 'tun'
Mon Oct 18 17:37:52 2010 us=32   dev_type = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   dev_node = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   lladdr = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   topology = 1
Mon Oct 18 17:37:52 2010 us=32   tun_ipv6 = DISABLED
Mon Oct 18 17:37:52 2010 us=32   ifconfig_local = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   ifconfig_remote_netmask = '[UNDEF]'
Mon Oct 18 17:37:52 2010 us=32   ifconfig_noexec = DISABLED
Mon Oct 18 17:37:52 2010 us=32   ifconfig_nowarn = DISABLED
Mon Oct 18 17:37:52 2010 us=32   shaper = 0
Mon Oct 18 17:37:52 2010 us=32   tun_mtu = 1500
Mon Oct 18 17:37:52 2010 us=32   tun_mtu_defined = ENABLED
Mon Oct 18 17:37:52 2010 us=32   link_mtu = 1500
Mon Oct 18 17:37:52 2010 us=32   link_mtu_defined = DISABLED
Mon Oct 18 17:37:52 2010 us=32   tun_mtu_extra = 0
Mon Oct 18 17:37:52 2010 us=32   tun_mtu_extra_defined = DISABLED
Mon Oct 18 17:37:52 2010 us=32   fragment = 0
Mon Oct 18 17:37:52 2010 us=32   mtu_discover_type = -1
Mon Oct 18 17:37:52 2010 us=32   mtu_test = 0
Mon Oct 18 17:37:52 2010 us=32   mlock = DISABLED
Mon Oct 18 17:37:52 2010 us=32   keepalive_ping = 0
Mon Oct 18 17:37:52 2010 us=32   keepalive_timeout = 0
Mon Oct 18 17:37:52 2010 us=32   inactivity_timeout = 0
Mon Oct 18 17:37:52 2010 us=32   ping_send_timeout = 0
Mon Oct 18 17:37:52 2010 us=32   ping_rec_timeout = 0
Mon Oct 18 17:37:52 2010 us=32   ping_rec_timeout_action = 0
Mon Oct 18 17:37:52 2010 us=32   ping_timer_remote = DISABLED
Mon Oct 18 17:37:52 2010 us=32   remap_sigusr1 = 0
Mon Oct 18 17:37:52 2010 us=32   explicit_exit_notification = 0
Mon Oct 18 17:37:52 2010 us=32   persist_tun = ENABLED
Mon Oct 18 17:37:52 2010 us=32   persist_local_ip = DISABLED
Mon Oct 18 17:37:52 2010 us=32   persist_remote_ip = DISABLED
Mon Oct 18 17:37:52 2010 us=32   persist_key = ENABLED
Mon Oct 18 17:37:52 

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

[Jan Just Keijser]

openvpn wrote:

dear all,

a few days ago I deployed an ovpn solution in a medium sized company. 
One of the two ends of the vpn network is passing through a proxy with 
NTLM authentication. ovpn has problems to recognize the authentication 
because immediately after sending the message type 1, the proxy sends 
no response, so I had to modify the source code by replacing the 
current message with a similar but different one.


in particular this one:

TlRMTVNTUAABAgIAAA==


become:

TlRMTVNTUAABB4IIogAFASgKDw==


A detail of the work is available at:

http://www.morzello.com/?p=350 (in Italian).

I was wondering if you could have a function that supports this type 
of proxy (such as McAfee Web Gateway).


I applied your "patch" and I still cannot get it to work for my 
httpd+mod_ntlm (NTLMv1 only) installation. The NTLM handshake that 
OpenVPN does is broken. Without the patch Wireshark tells me the first 
NTLMSPP message is invalid

 http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error1.png
If I change the phase_1 NTLM message to the above I get one step further 
but then it breaks at the next packet:

 http://www.nikhef.nl/~janjust/openvpn/openvpn-ntlm-error2.png
It seems the Windows domain and username are not stored properly inside 
the request. The same httpd+mod_ntlm installation works flawlessly using 
Internet Explorer 7: in that case the domain and user name are encoded 
just fine.


What am I doing wrong?

cheers,

JJK