Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor
On Wed, Apr 29, 2020 at 05:34:14 -0400, Jonathan K. Bullard wrote: > Hi, > > On Wed, Apr 29, 2020 at 3:43 AM Gert Doering wrote: > > On Wed, Apr 29, 2020 at 09:03:20AM +0200, free...@tango.lu wrote: > > > Which makes me think OSPF is only possible with the old tap interfaces, > > > what the OpenVPN dev team even want to remove in the future, why is > > > there no proper support of OSPF in routed tun tunnels? > > > > Not sure where that rumor is coming from. No removal of TAP device > > support is planned. > > I don't know where the rumor started, but I can understand why it is > plausible: > > (A) The OpenVPN developers discourage the use of TAP connections, > saying, for example "Layer 3 is for a number of reasons the better > choice anyways" [1]; > (B) The "OpenVPN Connect" Android and iOS apps do not support TAP > connections [1][2]; and > (C) Apple has deprecated loading the system extension that Tunnelblick > uses to create a TAP device and, on the latest version of macOS, pops > up a warning saying the extension "will be incompatible with future > versions of macOS" [3]. Expanding further on those points, there was a discussion of this topic here on this list back in March 2019, under the Subject "Removal of the TAP Bridge, Strange ARP issue and looking for solutions for an alternative Layer2 VPN", e.g. https://sourceforge.net/p/openvpn/mailman/message/36606924/ or https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg04759.html . That disussion makes clear that in fact OpenVPN _3_ specifically does *not* include support for TAP (at least as currently implemented). The discussion does go on to explain that that all releases of OpenVPN _2.x_ will continue include TAP support and that v2 "will live for a long time to come"... but I can certainly understand "casual" users being confused by this distinction. The OP in that thread did not give an explicit reference to the origin of his/her information regarding TAP support/"bridged networking", so I'm not sure what would have helped avoid the confusion there... ... but I searched around a bit in the Community Wiki and though there are a number of pages that mention specific OpenVPN 3 software packages, I didn't find any general page explaining the differences-between and future-plans-for the v2 and v3 (and "Connect") product lines, etc. -- something like that might help clear up (a little of) this sort of confusion. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
Thank you, I appreciate the detailed response. -Original Message- From: Gert Doering To: Leroy Tennison Cc: openvpn-users Sent: Wed, Apr 29, 2020 11:53 am Subject: Re: [Openvpn-users] OpenVPN architecture Hi, On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users wrote: > I've seen a couple of replies to this but no direct answer to my question, > sounds like OpenVPN works similar to https, correct? Sort of. It's a bit more complicated, but it boils down to "TLS runs, authenticates by asymmetric cipher, uses DH to build key for symmetric cipher for the control channel, uses key material derived from that to build symmetric cipher for the data channel" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
Hi, On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users wrote: > I've seen a couple of replies to this but no direct answer to my question, > sounds like OpenVPN works similar to https, correct? Sort of. It's a bit more complicated, but it boils down to "TLS runs, authenticates by asymmetric cipher, uses DH to build key for symmetric cipher for the control channel, uses key material derived from that to build symmetric cipher for the data channel" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
I've seen a couple of replies to this but no direct answer to my question, sounds like OpenVPN works similar to https, correct? -Original Message- From: Leroy Tennison via Openvpn-users To: openvpn-users Sent: Tue, Apr 28, 2020 5:28 pm Subject: [Openvpn-users] OpenVPN architecture Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to encrypt and transmit a symmetric key which is then used for all future communication?___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] cipher selection
Thanks for the clarification. I noticed your "upgrade" statement, just didn't assume a strict dependency of the ".. OCC..." statement with the upgrade statement. Working on an upgrade plan... -Original Message- From: Gert Doering To: Leroy Tennison Cc: openvpn-users Sent: Wed, Apr 29, 2020 9:52 am Subject: Re: [Openvpn-users] cipher selection Hi, On Wed, Apr 29, 2020 at 02:36:36PM +, Leroy Tennison via Openvpn-users wrote: > Well, this is unfortunate, reading your "their cipher setting is sent in the > OCC handshake to the server, and the server can handle different ciphers to > different clients" I thought I'd try setting a cipher in my 2.4.4 client's > configuration (one that the 2.3.10 server said it supported) and then trying > to connect to the 2.3.10 server. You missed the "upgrade the server to 2.4.9" bit in my mail :-) A 2.3 server will NOT handle differing ciphers for different clients. (2.3.10 is OLD - the latest release in the 2.3 train is like 2.3.18, and that one is from 2017) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On Wed, Apr 29, 2020 at 04:45:14PM +0200, Jan Just Keijser wrote: > it does make me wonder what the posts were about of people using > openvpn+tun+pfsense/quagga - some even more than 10 yrs ago! p2p mode, mayhaps? (IPv6 worked in p2p mode also much much earlier than in p2mp mode - mostly a question of prodding the kernel driver for "yes, multiprotocol!", but then just forwarding packets back and forth. IPv6 in p2mp mode required teaching iroute about IPv6...) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] cipher selection
Hi, On Wed, Apr 29, 2020 at 02:36:36PM +, Leroy Tennison via Openvpn-users wrote: > Well, this is unfortunate, reading your "their cipher setting is sent in the > OCC handshake to the server, and the server can handle different ciphers to > different clients" I thought I'd try setting a cipher in my 2.4.4 client's > configuration (one that the 2.3.10 server said it supported) and then trying > to connect to the 2.3.10 server. You missed the "upgrade the server to 2.4.9" bit in my mail :-) A 2.3 server will NOT handle differing ciphers for different clients. (2.3.10 is OLD - the latest release in the 2.3 train is like 2.3.18, and that one is from 2017) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi Gert, On 29/04/20 13:11, Gert Doering wrote: Hi, On Wed, Apr 29, 2020 at 12:45:26PM +0200, Gert Doering wrote: On Wed, Apr 29, 2020 at 12:25:02PM +0200, Jan Just Keijser wrote: in other words, OSPF is not UDP or TCP based and hence will not easily work over routed tunnels - which makes sense, as OSPF is a rout*ING *protocol, not a rout*ED* protocol. Naaah. To word this a bit more explitly :-) OpenVPN in p2p mode will transport everything that is running on top of IPv4 or IPv6. So, no "UDP or TCP based" (otherwise "ping" wouldn't work). It will transport OSPF / OSPFv3 packets just fine. It might or might not transport non-IP stuff, like IPX or ISO (which would be needed for IS-IS routing). Theoretically it should, but I would assume some checks for v4/v6 and subsequent packet explosion. Now, p2mp mode. In p2mp mode, the server needs to understand what to do with the packet (server-internal routing table, "iroute" stuff). OSPF does multicast, which is somewhat half-implemented into OpenVPN - namely, multicast packets get treated as broadcasted. Which is what is needed here: make sure OSPF packets get to all tun clients (drawback: also to those that are not running OSPF, so don't mix). This should also work "just fine", because the server's routing is also not based on "UDP or TCP based", just on IPv4/IPv6 target address inside the tunnel. Next, OSPF exchanges IPv4/IPv6 routing info, and this is programmed into the kernel routing table left and right. *This* is where OSPF breaks in p2mp mode, because this kernel routing info is not propagating into the OpenVPN server iroute table. thanks for correcting me, as always ;) it does make me wonder what the posts were about of people using openvpn+tun+pfsense/quagga - some even more than 10 yrs ago! cheers, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] cipher selection
Well, this is unfortunate, reading your "their cipher setting is sent in the OCC handshake to the server, and the server can handle different ciphers to different clients" I thought I'd try setting a cipher in my 2.4.4 client's configuration (one that the 2.3.10 server said it supported) and then trying to connect to the 2.3.10 server. The connection appeared to work without issue, then I tried to connect to a remote resource (the 2.3.10 server itself) - no response (same for a few other remote systems). Tried a different cipher (and neither was only for TLS mode) - same result. Looks like i need to get to 2.4.something on the server. This is a sad commentary on long term support distributions, 2.3.10 came with Ubuntu 16.04. Red Hat/CentOS tends to be further behind than Ubuntu, I can only imagine what version they're on. -Original Message- From: Gert Doering To: Leroy Tennison Cc: openvpn-users Sent: Wed, Apr 29, 2020 12:50 am Subject: Re: [Openvpn-users] cipher selection Hi, On Tue, Apr 28, 2020 at 10:23:10PM +, Leroy Tennison via Openvpn-users wrote: > Server is 2.3.10, clients are "various" (but not older than 2.3.10). A few > questions: > Is there a way to tell what cipher an active connection is using? There's "TLS cipher" (which it will log) and "data channel cipher". Data channel cipher is always the same in 2.3, so "cipher foo", or if not explicitly configured, bf-cbc (blowfish). > If i want to set a cipher on the server, do all clients have to be explicitly > configured the same way? Yes, because for 2.3 clients, cipher settings can not be pushed. > Put another way, is there a way to migrate an existing situation to a > stronger cipher? > I noticed that 2.4+ has a negotiation option, is that on by default? The > documentation is rather terse about this feature. What you can and should do: - upgrade the server to something less antique (2.4.9). This should "just work", with no config changes - all 2.4 clients (or later) will automatically use AES-GCM (see "man openvpn", "--cipher", "--ncp-ciphers" and "--ncp-disable" for more discussion) - older clients will stick to "what they have" - their cipher setting is sent in the OCC handshake to the server, and the server can handle different ciphers to different clients - if one of the 2.3 clients can not be upgraded, you can still put "cipher " into its config, and the server will auto-adjust. *BUT* this cipher needs to be appended to the server's "--ncp-ciphers" config - default is ncp-ciphers AES-256-GCM:AES-128-GCM so this would need to become ncp-ciphers AES-256-GCM:AES-128-GCM:foo so that "cipher foo" is acceptable to the server. (You could just use "cipher AES-256-GCM" on the client, but a 2.3.x client might be SO old that it has no AES-GCM support yet) There's more material on "NCP" (negotiable cipher protocol) and how to migrate in the openvpn-users list archive. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] cipher selection
Thank you, you've given me options to try, I appreciate it. -Original Message- From: Gert Doering To: Leroy Tennison Cc: openvpn-users Sent: Wed, Apr 29, 2020 12:50 am Subject: Re: [Openvpn-users] cipher selection Hi, On Tue, Apr 28, 2020 at 10:23:10PM +, Leroy Tennison via Openvpn-users wrote: > Server is 2.3.10, clients are "various" (but not older than 2.3.10). A few > questions: > Is there a way to tell what cipher an active connection is using? There's "TLS cipher" (which it will log) and "data channel cipher". Data channel cipher is always the same in 2.3, so "cipher foo", or if not explicitly configured, bf-cbc (blowfish). > If i want to set a cipher on the server, do all clients have to be explicitly > configured the same way? Yes, because for 2.3 clients, cipher settings can not be pushed. > Put another way, is there a way to migrate an existing situation to a > stronger cipher? > I noticed that 2.4+ has a negotiation option, is that on by default? The > documentation is rather terse about this feature. What you can and should do: - upgrade the server to something less antique (2.4.9). This should "just work", with no config changes - all 2.4 clients (or later) will automatically use AES-GCM (see "man openvpn", "--cipher", "--ncp-ciphers" and "--ncp-disable" for more discussion) - older clients will stick to "what they have" - their cipher setting is sent in the OCC handshake to the server, and the server can handle different ciphers to different clients - if one of the 2.3 clients can not be upgraded, you can still put "cipher " into its config, and the server will auto-adjust. *BUT* this cipher needs to be appended to the server's "--ncp-ciphers" config - default is ncp-ciphers AES-256-GCM:AES-128-GCM so this would need to become ncp-ciphers AES-256-GCM:AES-128-GCM:foo so that "cipher foo" is acceptable to the server. (You could just use "cipher AES-256-GCM" on the client, but a 2.3.x client might be SO old that it has no AES-GCM support yet) There's more material on "NCP" (negotiable cipher protocol) and how to migrate in the openvpn-users list archive. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On Wed, Apr 29, 2020 at 12:45:26PM +0200, Gert Doering wrote: > On Wed, Apr 29, 2020 at 12:25:02PM +0200, Jan Just Keijser wrote: > > in other words, OSPF is not UDP or TCP based and hence will not easily > > work over routed tunnels - which makes sense, as OSPF is a rout*ING > > *protocol, not a rout*ED* protocol. > > Naaah. To word this a bit more explitly :-) OpenVPN in p2p mode will transport everything that is running on top of IPv4 or IPv6. So, no "UDP or TCP based" (otherwise "ping" wouldn't work). It will transport OSPF / OSPFv3 packets just fine. It might or might not transport non-IP stuff, like IPX or ISO (which would be needed for IS-IS routing). Theoretically it should, but I would assume some checks for v4/v6 and subsequent packet explosion. Now, p2mp mode. In p2mp mode, the server needs to understand what to do with the packet (server-internal routing table, "iroute" stuff). OSPF does multicast, which is somewhat half-implemented into OpenVPN - namely, multicast packets get treated as broadcasted. Which is what is needed here: make sure OSPF packets get to all tun clients (drawback: also to those that are not running OSPF, so don't mix). This should also work "just fine", because the server's routing is also not based on "UDP or TCP based", just on IPv4/IPv6 target address inside the tunnel. Next, OSPF exchanges IPv4/IPv6 routing info, and this is programmed into the kernel routing table left and right. *This* is where OSPF breaks in p2mp mode, because this kernel routing info is not propagating into the OpenVPN server iroute table. In *TAP* mode, just for completeness, OpenVPN does not care at all for protocol numbers or IPv4/IPv6 routing. All it does is "I am an ethernet switch, and I will send out packets based on MAC address", so routing (which will install a next-hop to something identifiable by ARP and then given to OpenVPN with a known destination MAC address) will work nicely. IS-IS, IPX, ISO networking might also "just work", because it's "just ethernet frames". The reason why (Jonathan pointed this out) the OpenVPN devs usually recommend away from TAP mode is that TAP brings more overhead (extra ethernet header inside each VPN packet, extra ARP packets, ...) and has no benefits for a "normal" L3 routed setup. Worded differently, if what you want can be done inside OpenVPN routing, tun mode is what you want, because it is more efficient. If you need stuff like "bridge together two networks so that Netbios broadcasting works", TAP mode is it for you, or use a WINS or AD server instead :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On Wed, Apr 29, 2020 at 12:25:02PM +0200, Jan Just Keijser wrote: > in other words, OSPF is not UDP or TCP based and hence will not easily > work over routed tunnels - which makes sense, as OSPF is a rout*ING > *protocol, not a rout*ED* protocol. Naaah. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
On Wed, Apr 29, 2020 at 09:03:20AM +0200, free...@tango.lu wrote: Ok so after a bit of research and finding half baked articles such as: https://superuser.com/questions/1283125/proper-configuration-for-quagga-ospf-on-an-openvpn-network Which makes me think OSPF is only possible with the old tap interfaces, what the OpenVPN dev team even want to remove in the future, why is there no proper support of OSPF in routed tun tunnels? from https://en.wikipedia.org/wiki/Open_Shortest_Path_First "https://en.wikipedia.org/wiki/Open_Shortest_Path_First*"; * "Unlike other routing protocols, OSPF does not carry data via a transport protocol, such as the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP). Instead, OSPF forms IP datagrams directly, packaging them using protocol number 89 for the IP Protocol field." in other words, OSPF is not UDP or TCP based and hence will not easily work over routed tunnels - which makes sense, as OSPF is a rout*ING *protocol, not a rout*ED* protocol. Having said that, lots of people have posted info on how to set up OSPF over a tun-based openvpn setup. e.g https://forum.netgate.com/topic/117806/solved-running-ospf-on-tun-openvpn HTH, JJK ** ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On Wed, Apr 29, 2020 at 3:43 AM Gert Doering wrote: > > Hi, > > On Wed, Apr 29, 2020 at 09:03:20AM +0200, free...@tango.lu wrote: > > Ok so after a bit of research and finding half baked articles such as: > > https://superuser.com/questions/1283125/proper-configuration-for-quagga-ospf-on-an-openvpn-network > > > > Which makes me think OSPF is only possible with the old tap interfaces, > > what the OpenVPN dev team even want to remove in the future, why is > > there no proper support of OSPF in routed tun tunnels? > > Not sure where that rumor is coming from. No removal of TAP device > support is planned. I don't know where the rumor started, but I can understand why it is plausible: (A) The OpenVPN developers discourage the use of TAP connections, saying, for example "Layer 3 is for a number of reasons the better choice anyways" [1]; (B) The "OpenVPN Connect" Android and iOS apps do not support TAP connections [1][2]; and (C) Apple has deprecated loading the system extension that Tunnelblick uses to create a TAP device and, on the latest version of macOS, pops up a warning saying the extension "will be incompatible with future versions of macOS" [3]. Best regards, Jon Bullard [1] https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-android/#Why_does_the_app_not_support_TAP-style_tunnels [2] https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/#Why_doesnt_the_app_support_tap-style_tunnels [3] https://tunnelblick.net/cTunTapConnections.html ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Wed, Apr 29, 2020 at 09:37:06AM +0200, Gert Doering wrote: > > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) > > Of course :-) > > (it always had, in TLS mode. Not in p2p --secret mode, but that is > deprecated - no PFS is one of the reasons) Nice! Thanks Gert. signature.asc Description: Digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking OpenVPN connectivity
Hi, On 29/04/20 03:26, Erich Titl wrote: Hi Am 29.04.2020 um 00:45 schrieb Leroy Tennison via Openvpn-users: I had a situation today where i was asked "telnet to the port, see if it connects" to check their firewall configuration. I realize this isn't going to work because telnet is tcp and the configuration is udp but it caused me to wonder "Is there a way to test protocol connectivity (are udp packets from a source making it to a destination) without actually trying to make a connection?" The reason I ask is that an existing 1024 bit connection is being replaced by a 4096 bit one and I would prefer to know that the firewall configuration (over which I have no visibility or control) was "in place" before attempting to do so. Why don't you just use an openvpn client with a known working connection and read its log file. Eric is fully correct - depending on your setup, that is about the *only* way you ever will get a useful answer over UDP; if you have set up tls-auth or tls-crypt then 'netcat -u' will not work, as the OpenVPN server will/should drop all packets immediately that are not signed using the right key. HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On 29/04/2020 09:03, free...@tango.lu wrote: > Ok so after a bit of research and finding half baked articles such as: > https://superuser.com/questions/1283125/proper-configuration-for-quagga-ospf-on-an-openvpn-network > > > Which makes me think OSPF is only possible with the old tap interfaces, > what the OpenVPN dev team even want to remove in the future, why is > there no proper support of OSPF in routed tun tunnels? What makes you think that OSPF (or BGP) can't just work over tun interfaces? It should just work as it does over any other IP tunnel. Did you hit any problem while running it? > > Is there no demand of using routing protocols inside VPN tunnels? Any > plans for the future to have something like quagga built into OpenVPN to > take care of this? No - I don't think there is a real reason to have it built-in. Cheers, -- Antonio Quartulli ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Hi, On Wed, Apr 29, 2020 at 09:03:20AM +0200, free...@tango.lu wrote: > Ok so after a bit of research and finding half baked articles such as: > https://superuser.com/questions/1283125/proper-configuration-for-quagga-ospf-on-an-openvpn-network > > Which makes me think OSPF is only possible with the old tap interfaces, > what the OpenVPN dev team even want to remove in the future, why is > there no proper support of OSPF in routed tun tunnels? Not sure where that rumor is coming from. No removal of TAP device support is planned. OSPF over tun works fine *if* you do p2p tun. It does not work if you have a point-to-multipoint server involved ("--server") because that one has an internal routing table which is not synchronized to the kernel side. So OSPF might speak through the tunnel, but the routes exchanged are not learned by OpenVPN, and so packets can not flow. > Is there no demand of using routing protocols inside VPN tunnels? Any > plans for the future to have something like quagga built into OpenVPN to > take care of this? Antonio has recently started a discussion about "can we not synchronize the OpenVPN iroute table with the kernel routing table". This would enable BGP/OSPF/... on top of openvpn tunnels, but it is not trivially done. Like, quite *very* difficult to get right. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
Hi, On Wed, Apr 29, 2020 at 08:57:07AM +0200, Marc SCHAEFER wrote: > On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users > wrote: > > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is > > used to encrypt and transmit a symmetric key which is then used for all > > future communication? > > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) Of course :-) (it always had, in TLS mode. Not in p2p --secret mode, but that is deprecated - no PFS is one of the reasons) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN with OSPF there is no proper guide or support
Ok so after a bit of research and finding half baked articles such as: https://superuser.com/questions/1283125/proper-configuration-for-quagga-ospf-on-an-openvpn-network Which makes me think OSPF is only possible with the old tap interfaces, what the OpenVPN dev team even want to remove in the future, why is there no proper support of OSPF in routed tun tunnels? Is there no demand of using routing protocols inside VPN tunnels? Any plans for the future to have something like quagga built into OpenVPN to take care of this? My setup would be something common: 3 locations A 10.0.1.0/24 B 10.0.2.0/24 C 10.0.3.0/24 With point to point tunnels between all 3 locations with OpenVPN in routed mode. The tunnels use different p2p ips like: A->B 192.168.1.1 192.168.1.2 B->C 192.168.1.3 192.168.1.4 A->C 192.168.1.5 192.168.1.6 So manually for example for hosts on A to reach computers on B you would add a route like: route add -net 10.0.2.0/24 gw 192.168.1.2 However with these static routes if the connection goes down between A and B and both A and C and B and C is up it will not be rerouted on the other path. This is where OSPF would be useful. I wonder how others deal with these kind of setups? Thanks ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users wrote: > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used > to encrypt and transmit a symmetric key which is then used for all future > communication? HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) [1] https://en.wikipedia.org/wiki/Forward_secrecy if the private key is stolen, decryption of key exchange protocols will not give the key, e.g. PKI authenticated Diffie-Hellman ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking OpenVPN connectivity
On Tue, Apr 28, 2020 at 10:45:03PM +, Leroy Tennison via Openvpn-users wrote: > udp packets from a source making it to a destination) without actually trying > to make a connection You can try netcat, with the -u option. Now, if you have a real powerful firewall it may see this is not legitimate OpenVPN traffic and block it. Wonder if this exists. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users