Re: [Openvpn-users] (no subject)
Hi, On Thu, Dec 02, 2021 at 11:44:03PM +0100, Stella Ashburne wrote: > OK. I surfed to https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > which I guess is the latest version of man page of OpenVPN 2.5, > right? According to it, "push-peer-info" is a server option. Mmmh, indeed. You're right - this is a documentation bug, and we need to fix this. The section heading is so far above the --push-peer-info section that I really missed that (I know where and how the option is used, and how it is implemented, so I tend to only look at the particular option to see if it's correctly documented, not at the overall context). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, December 3rd, 2021 at 05:49, Nathan Stratton Treadway wrote: > On Thu, Dec 02, 2021 at 23:42:04 +, tincantech via Openvpn-users wrote: > > > On Thursday, December 2nd, 2021 at 22:44, Stella Ashburne rewe...@gmx.com > > wrote: > > > > > OK. I surfed to > > > > > > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html which I > > > > > > guess is the latest version of man page of OpenVPN 2.5, right? > > > > > > According to it, "push-peer-info" is a server option. > > > > That is the latest. > > > > What it say is: --push-peer-info > > > > - Push additional information about the client to server. The > > > > following data is always pushed to the server.. > > > > It clearly states "Push additional information about the client to server". > > I believe that what Stella is commenting on is the fact that > > --push-peer-info is listed in the "Server Options" section of the man > > page rather than the "Client Options" section > I do concur, the option may be oddly placed.. but it's description is unambiguous. Maintaining Openvpn-CE documentation is a not a trivial undertaking, help is always appreciated. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhqbv3ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ10qQf/TMoHOKAdZnSjtVpNGyZiw0/7r1WxBqgy3KSB5psPwpf05dq+ V+FdXOy7+n6p+3ugvnX8lyeOmu9TWf1c3qwHUcZAp7R/zh3Bnk6Xrbw85hbR DPQ4jhHJQa+jkQM8GhmHOZ4GsN1slcVdpUZ0hf2JieGsBgTHSKtyxmXqfxD3 8L+22apIp+I6TOJ6+XSJg8Upgot5jQxEFNyVIPI6TN4ACCOrV/ISHcoDSx9M 0g5/3vMJh0uc0ZTatflv62SeTqhvMbBJC64v2zdvnnm46AKeKpOI8neFxBX+ FhXhaoEzO12CXuKvWa1u1V8cjnD1vb0nuTI9TS1fjxhnA97BItVphw== =xN5w -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
On Thu, Dec 02, 2021 at 23:42:04 +, tincantech via Openvpn-users wrote: > > On Thursday, December 2nd, 2021 at 22:44, Stella Ashburne > wrote: > > OK. I surfed to > > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html which I > > guess is the latest version of man page of OpenVPN 2.5, right? > > According to it, "push-peer-info" is a server option. > > That is the latest. > > What it say is: --push-peer-info > * Push additional information about the client to server. The >following data is always pushed to the server.. > > It clearly states "Push *additional* information about the client to server". I believe that what Stella is commenting on is the fact that --push-peer-info is listed in the "Server Options" section of the man page rather than the "Client Options" section Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, December 2nd, 2021 at 22:44, Stella Ashburne wrote: > Hi Gert > > Thanks for your reply. > > > OK. I surfed to https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > which I guess is the latest version of man page of OpenVPN 2.5, right? > According to it, "push-peer-info" is a server option. That is the latest. What it say is: --push-peer-info * Push additional information about the client to server. The following data is always pushed to the server.. It clearly states "Push *additional* information about the client to server". The client will send even more data about itself, to the server, if you use --push-peer-info There is nothing about this being a "server option". If you do not use --push-peer-info then only the normal data, which openvpn always pushes, is pushed. Don't be worried about a harmless MAC , they know who you are anyway ... meh-meh-meh. hth R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhqVm5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2F/ggAm4frSR2VnJyi3juandQA080X1lJZGAvd1dGybnUuNBGBVLt9 MFX89B2SeWOouuQuny//Z3DUTI6bAUWJOrT2iTFEH0m0T4jd4Q4DTp5moRjx ony6lY+w1LeXjFS7QN8AsyCg3OoN/ZB6nMOn+3rfhC6Q4Vi+FOpq8jtW0v2g JNU03Jnw6yMjGRdDR6U74rgK9qwIgGNApoR8F4RcAsodQoNKgnmW/udr+Fbl 3wIlBn27cx3kjaEQDpIzNHVFfQZ20ExS6oQAVlsA3UNnnXPgGfOSAQNt2E9r AFNT7K0WZDiBhdK/0B30aou88HZTchT98kYh2C6LUkjpMZoiMoiC8A== =86dr -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
Hi Gert Thanks for your reply. > Sent: Friday, December 03, 2021 at 2:14 AM > From: "Gert Doering" > To: "Stella Ashburne" > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] (no subject) > > (I think we have a patch somewhere to clarify that - it might even be > in the current man page. You looked at the 2.4 man page, which is OLD) > > gert > -- OK. I surfed to https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html which I guess is the latest version of man page of OpenVPN 2.5, right? According to it, "push-peer-info" is a server option. Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
Hi, On Thu, Dec 02, 2021 at 05:33:32PM +0100, Stella Ashburne wrote: > > (It will only be sent if you have "push-peer-info" in your client config, > > see "man openvpn" for what is always sent and what needs to be enabled) > About "push-peer-info": > > I surfed to > https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=JSUulbKidOapkzFKpsRhInXslT2sBquL7BK.lhuMS1s-1638461653-0-gaNycGzNCOU > and learned that "push-peer-info" is an option in the server's > configuration file and not in the client's. It is not. Most of the time it is used in client configs (do not confuse with regular "push ", which *is* a server option). It can be used on the server, making the server send *its* versions to the client - which is rarely useful. > If that's the case, can > we specify an option in the client's configuration file to refuse > to give to the server such details such as IFACE and HWADDR? By not having push-peer-info in the client's config. > And since we are on the subject of "push-peer-info", I would appreciate it if > you could clarify the following that is written in man openvpn: > > IV_HWADDR= -- the MAC address of clients default gateway > > By "default gateway", does the author of the man page refer to the router's > MAC address or to the MAC address of the network interface card in my machine? The MAC address of the network card used to reach the default gateway. (I think we have a patch somewhere to clarify that - it might even be in the current man page. You looked at the 2.4 man page, which is OLD) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
Hi Gert Thanks for your reply. > Sent: Friday, December 03, 2021 at 12:09 AM > From: "Gert Doering" > To: "Stella Ashburne" > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] (no subject) > > > It is not sent by default, so nothing to do here. > Thanks for your clarification, Gert. > (It will only be sent if you have "push-peer-info" in your client config, > see "man openvpn" for what is always sent and what needs to be enabled) > > About "push-peer-info": I surfed to https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=JSUulbKidOapkzFKpsRhInXslT2sBquL7BK.lhuMS1s-1638461653-0-gaNycGzNCOU and learned that "push-peer-info" is an option in the server's configuration file and not in the client's. If that's the case, can we specify an option in the client's configuration file to refuse to give to the server such details such as IFACE and HWADDR? And since we are on the subject of "push-peer-info", I would appreciate it if you could clarify the following that is written in man openvpn: IV_HWADDR= -- the MAC address of clients default gateway By "default gateway", does the author of the man page refer to the router's MAC address or to the MAC address of the network interface card in my machine? > > Thus: DO NOT USE A VPN PROVIDER THAT YOU DO NOT TRUST. > Thanks for your warning, Gert. Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
Hi Ralf Thanks for your reply. > Sent: Thursday, December 02, 2021 at 11:41 PM > From: "Ralf Hildebrandt" > To: "Stella Ashburne" > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] [ext] (no subject) > > > The log of the opevpn server you're connecting to. > Both sides have a log. They look differently. > No, I don't have access to the server's logs as my VPN provider is a commercial one. > > No, that's your client's log. > Thanks, Ralf, for your clarification and reassurance. Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
Hi, On Thu, Dec 02, 2021 at 04:23:23PM +0100, Stella Ashburne wrote: > To mitigate the fingerprinting, is it possible to prevent the details of > IFACE and HWADDR from being transmitted to my VPN provider? It is not sent by default, so nothing to do here. (It will only be sent if you have "push-peer-info" in your client config, see "man openvpn" for what is always sent and what needs to be enabled) Also, the whole question is a bit weird. Your VPN provider can identify you by means of the account information you use to connect to them... and also, they can see where you surf, what DNS queries you do, etc. Thus: DO NOT USE A VPN PROVIDER THAT YOU DO NOT TRUST. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
Hi Ralf Thanks for your reply. > Sent: Thursday, December 02, 2021 at 11:39 PM > From: "Ralf Hildebrandt" > To: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] [ext] (no subject) > > > > BUT if you care about fingerprinting, check the IV_* variables, example: > > ip.add.re.ss:49786 peer info: IV_VER=3.git::58b92569 > ip.add.re.ss:49786 peer info: IV_PLAT=ios > ip.add.re.ss:49786 peer info: IV_NCP=2 > ip.add.re.ss:49786 peer info: IV_TCPNL=1 > ip.add.re.ss:49786 peer info: IV_PROTO=2 > ip.add.re.ss:49786 peer info: IV_LZO_STUB=1 > ip.add.re.ss:49786 peer info: IV_COMP_STUB=1 > ip.add.re.ss:49786 peer info: IV_COMP_STUBv2=1 > ip.add.re.ss:49786 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 > ip.add.re.ss:49786 peer info: IV_SSO=openurl > I'm a bit lost. Where do I check the IV_* variables? How do I check them, i.e. what commands do I need to type in a terminal? Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
* Stella Ashburne : > > That's your log or the server's log? > > What do you mean by server's log please? The log of the opevpn server you're connecting to. Both sides have a log. They look differently. > In a terminal, I connect my machine to a server provided by my VPN > provider. As a connection is being made, many lines of text flash > across the terminal. Please tell me if the lines of text that I see > belong to the server's log? No, that's your client's log. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
* Stella Ashburne : > Hi > > Below is a partial log after my machine has connected successfully to my VPN > provider's server: > > 2021-11-20 09:18:08 us=74921 Outgoing Data Channel: Cipher 'AES-256-GCM' > initialized with 256 bit key > 2021-11-20 09:18:08 us=74956 Incoming Data Channel: Cipher 'AES-256-GCM' > initialized with 256 bit key > 2021-11-20 09:18:08 us=75010 net_route_v4_best_gw query: dst 0.0.0.0 > 2021-11-20 09:18:08 us=75225 net_route_v4_best_gw result: via 192.168.0.1 dev > enp850kd > 2021-11-20 09:18:08 us=75299 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 > IFACE=enp850kd HWADDR=25:d3:a1:0e:6c:13 > > Am I correct to say that my VPN provider can store personally identifiable > information such as IFACE and HWADDR to fingerprint me? No. It's merely in your log. > To mitigate the fingerprinting, is it possible to prevent the details of > IFACE and HWADDR from being transmitted to my VPN provider? It's not transmitted. On my server's log: # egrep "(IFACE|HWADDR)" /var/log/syslog /var/log/daemon.log # BUT if you care about fingerprinting, check the IV_* variables, example: ip.add.re.ss:49786 peer info: IV_VER=3.git::58b92569 ip.add.re.ss:49786 peer info: IV_PLAT=ios ip.add.re.ss:49786 peer info: IV_NCP=2 ip.add.re.ss:49786 peer info: IV_TCPNL=1 ip.add.re.ss:49786 peer info: IV_PROTO=2 ip.add.re.ss:49786 peer info: IV_LZO_STUB=1 ip.add.re.ss:49786 peer info: IV_COMP_STUB=1 ip.add.re.ss:49786 peer info: IV_COMP_STUBv2=1 ip.add.re.ss:49786 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 ip.add.re.ss:49786 peer info: IV_SSO=openurl -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
Hi Ralf Thanks for your reply. > Sent: Thursday, December 02, 2021 at 11:27 PM > From: "Ralf Hildebrandt" > To: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] [ext] (no subject) > > > That's your log or the server's log? > What do you mean by server's log please? I use Debian 11 distro as my operating system. In a terminal, I connect my machine to a server provided by my VPN provider. As a connection is being made, many lines of text flash across the terminal. Please tell me if the lines of text that I see belong to the server's log? > > To mitigate the fingerprinting, is it possible to prevent the details of > > IFACE and HWADDR from being transmitted to my VPN provider? > > Are they REALLY transmitted to your VPN provider? > I honestly don't know because I don't have the requisite IT skills to do it. > Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] (no subject)
* Stella Ashburne : > Hi > > Below is a partial log after my machine has connected successfully to my VPN > provider's server: > > 2021-11-20 09:18:08 us=74921 Outgoing Data Channel: Cipher 'AES-256-GCM' > initialized with 256 bit key > 2021-11-20 09:18:08 us=74956 Incoming Data Channel: Cipher 'AES-256-GCM' > initialized with 256 bit key > 2021-11-20 09:18:08 us=75010 net_route_v4_best_gw query: dst 0.0.0.0 > 2021-11-20 09:18:08 us=75225 net_route_v4_best_gw result: via 192.168.0.1 dev > enp850kd > 2021-11-20 09:18:08 us=75299 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 > IFACE=enp850kd HWADDR=25:d3:a1:0e:6c:13 > > Am I correct to say that my VPN provider can store personally identifiable > information such as IFACE and HWADDR to fingerprint me? That's your log or the server's log? > To mitigate the fingerprinting, is it possible to prevent the details of > IFACE and HWADDR from being transmitted to my VPN provider? Are they REALLY transmitted to your VPN provider? Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] (no subject)
Hi Below is a partial log after my machine has connected successfully to my VPN provider's server: 2021-11-20 09:18:08 us=74921 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2021-11-20 09:18:08 us=74956 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2021-11-20 09:18:08 us=75010 net_route_v4_best_gw query: dst 0.0.0.0 2021-11-20 09:18:08 us=75225 net_route_v4_best_gw result: via 192.168.0.1 dev enp850kd 2021-11-20 09:18:08 us=75299 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp850kd HWADDR=25:d3:a1:0e:6c:13 Am I correct to say that my VPN provider can store personally identifiable information such as IFACE and HWADDR to fingerprint me? To mitigate the fingerprinting, is it possible to prevent the details of IFACE and HWADDR from being transmitted to my VPN provider? Regards. Stella ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] topology subnet and ifconfig-push
Hi Aleksandar, On 01/12/21 20:23, Aleksandar Ivanisevic wrote: On 1. Dec 2021, at 18:48, Gert Doering wrote: You might have hit that subnet in the pool, and then decided "I want to make it static", picking the same subnet for ccd/ Yes, that’s exactly what happened, but I’ve just checked the revision control and it was back in 2009! There must be something that prevents clashes, or at least hands out the IPs from the pool differently so that .5 never gets handed out, no one can be that lucky for that long ;) Anyway, thanks for the confirmation, I’ve shrank the pool and assigned static IPs outside of the pool and all is well. as extra information: with the old-style net30 pool a client is normally never handed the .5 address, but the .6 address: inet 10.200.0.10 peer 10.200.0.9/32 scope global noprefixroute tun0 the remote endpoint address is never pingable so perhaps you got extra lucky this way... HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users