Re: [Openvpn-users] peer-peer vpns and systemd
Hi, On 22/07/20 13:32, Richard Hector wrote: On 21/07/20 11:23 pm, Jan Just Keijser wrote: Hi Richard, On 19/07/20 12:04, Richard Hector wrote: That's what I couldn't manage - a p2p network (no client or server) using certificates. In the end I concluded it couldn't be done, but I'm happy to be corrected. this can be achieved using the following configs: ## server ## tls-server proto udp port 1194 dev tun ifconfig 10.200.0.1 10.200.0.2 dh dh2048.pem tls-auth ta.key 0 ca ca.crt cert server.crt key server.key keepalive 10 60 cipher aes-256-gcm auth sha256 ## ## client ## tls-client proto udp remote port 1194 dev tun nobind #or use rport ifconfig 10.200.0.2 10.200.0.1 remote-cert-tls server tls-auth ta.key 1 ca ca.crt cert client1.crt key client1.key cipher aes-256-gcm auth sha256 ## That doesn't achieve the goal of "no client or server", since there are 2 distinct config files. there will always be minor differences; if you build a "symmetric" certificate (client + server auth) then you can get the differences down to three lines: 1c1 < tls-client --- > tls-server 3d2 < remote 7c6 < ifconfig 10.200.0.2 10.200.0.1 --- > ifconfig 10.200.0.1 10.200.0.2 the only extra is the "tls-client/"tls-server" line compared to the PSK version. And this makes sense, as in PSK mode the key exchange+encryption is symmetric whereas in certificate mode it is not. a few notes: - even in PSK p2p mode one of the sides is more server-like (I tend to call it the listener) and the other side is the client (the one initiating the connection). In p2p psk mode, I can have files that only differ in address, port and device numbers/names - they're symmetrical. And it works, barring the startup with systemd. if your systemd file states nobind yet you specify a local port in the client config then it will not work... So even with certificates you always have one end being the "tls-server" (i.e. waiting for an incoming connection) and one end the "tls-client" (the one initating the connection). 'With certificates', yes. 'Even with certificates' implies that it isn't possible without either, which it seems to be. HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] To Generate IPs by Range
Good afternoon! How can I to generate IPs by range using OpenVPN? I mean, we got 3 departaments, and we need to generate IP range by departaments. Example: IT departament: 10.0.8 2 to 10.0.8.20 Legal Departament: 10.0.8.21 to 10.0.8.30 Accounting Departament: 10.0.8.31 to 10.0.8.45 Ho can I do that?? José Fermín Francisco Ferreras Registered User #579535 (LinuxCounter.net) ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
HI, On Fri, Jul 24, 2020 at 11:20:24PM +0200, Marc SCHAEFER wrote: > Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key This is definitely not right. Not sure what the default value for AES is (for BF-CBC it's 60 minutes), but it should be in the "many hours" range. Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings that are non-default. (If this is not fruitful, try re-running with "verb 4" and see if there is more insight) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
On Fri, Jul 24, 2020 at 11:20:32PM +0100, tincanteksup wrote: > not sure how you have your configs setup (maybe post further details) but .. > Using --verb 4 may help with extra log details. Thank you, will collect more information. It now suspiciously looks like a firewall issue. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users