Re: [Openvpn-users] OpenVPN on port 443
>On Thursday, January 25th, 2024 at 1:25 AM, Jochen Bern > wrote: > On 24.01.24 13:31, Hans via Openvpn-users wrote: > > > From: "Gert Doering" mailto:g...@greenie.muc.de> > > Date: Wednesday, 24 January 2024 at 13:03:30 > > > > > On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users > > > wrote: > > > > > > > How can I make OpenVPN look like an HTTPS connection? > > > > > > You can't. OpenVPN is not https, so even if you use tcp/443, on a close > > > enough look it will be clear "this is not HTTPS". > > > > How about using stunnel instead? > > > stunnel may be able to wrap your (TCP) traffic into TLS, whose > unencrypted parts may look more or less like the TLS interwoven into > HTTPS, but it still won't make your hours-long single-server VPN > connection with keepalives and key renegs in regular intervals and > carrying an SSH login with its single-keystroke upstream packets look > like you browsed a couple websites. > > Also, don't forget to configure the VPN server with --port-share, in > case one of the nation-level censors you're trying to fool gets the idea > of looking at your "interesting website" himself ... > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hi, Can you tell me more about the --port-share? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Wednesday, January 24th, 2024 at 3:38 PM, Marc SCHAEFER > wrote: > Hello, > > On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote: > > > I am testing this scenario in a virtual environment before moving it to the > > real world. > > > So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12, > 192.168.0.0/16), or possibly > some other reserved addresses [1]. > > Do not use public addresses unless you own them. > > > How can I make OpenVPN look like an HTTPS connection? > > > Do you mean to obfuscate OpenVPN traffic so that an attacker thinks it is > legit web traffic? > > I don't think OpenVPN does that: but you can run OpenVPN over TCP over tor, > and use all > obfuscation methods that tor supports (obfs4, maybe even snowflake), some of > them look > like HTTPS. > > PS: please quote correctly (removing non pertaining text). > > [1] https://en.wikipedia.org/wiki/Private_network > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hello, Thank you so much. 1- So my problem is the IP address range? 2- Yes. Can you tell me how to obfuscate OpenVPN through Tor? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN and V2Ray
Hello, I want to use OpenVPN with V2Ray. I took a look at the OpenVPN configuration with Shadowsocks and saw that in the Client.conf file there were two lines as follows: socks-proxy 127.0.0.1 1080 route SHADOWSOCKS_SERVER_IP 255.255.255.255 net_gateway I have two questions: 1- Are these two lines required to configure OpenVPN with V2Ray? 2- How should the iptables rules be so that the traffic of the clients is transferred to the V2Ray server? Are firewall rules required when the above lines are used in the Client.conf file? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hello, On Sat, Jan 27, 2024 at 01:06:15PM +0100, Jochen Bern wrote: > (Note that, back when I had to try to get rid of the parameterless > "--daemon" in the unit file, I found that the unit file would get > overwritten with every update - unlike "normal" config files, where a new > packaged version would be put into a *.rpmnew file when the update finds the > current version manually changed.) Debian supports conffiles: they are handled specially, changes from maintainer are presented to the sysadmin at package upgrade or installation time (conffiles can stay even if you remove a package, if you don't --purge it) and you can accept them or not, merge, etc. However, AFAIR most systemd files are not conffiles (since that would apparently conflict with some systemd internals), countrary to most configuration files of all of the other packages of the Debian system [1]. Debian supports diversions: the package system will make sure the file will always be updated elsewhere. That worked the last time I used it, but I no longer use it on systemd. [2]. In emergency cases or in a RPM distribution, chattr +i could work (immutable) :) However, the systemd supported way to do this is: copy the unit file from /lib/systemd/system/ to /etc/systemd/system/ and then make the changes there. Which is AFAIK what systemctl edit XXX does as you wrote. [1] https://manpages.debian.org/testing/dpkg-dev/deb-conffiles.5.fr.html [2] http://www.ixany.org/articles/divert-files-on-debian/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On 27.01.24 10:37, Bo Berglund wrote: It seems like there is a global conf file somewhere which is used by all instances of the openvpn service, but I am confused by the various statements on how to edit this file. Please: Exactly where is this file? ( /path/to/conffile ) If I may put words into the mouths of the systemd maintainers: "None of your business. If you need the unit file(s) changed, you've been given the 'systemctl edit ...' command. If you touch the files directly, you're trying to do *our* job, and will be held liable to have acquired, and keep updated to, the required level of know-how." (Note that, back when I had to try to get rid of the parameterless "--daemon" in the unit file, I found that the unit file would get overwritten with every update - unlike "normal" config files, where a new packaged version would be put into a *.rpmnew file when the update finds the current version manually changed.) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Sat, 27 Jan 2024 09:45:10 +0100, Bo Berglund wrote: >On Mon, 22 Jan 2024 12:27:52 +0100, Gert Doering wrote: > >>Hi, >> >>On Mon, Jan 22, 2024 at 11:27:41AM +0100, Jochen Bern wrote: >>> .02) OpenVPN prioritizes command line parameters over statements in config >>> files on the theory that someone probably typed them in for *this* >>> particular execution of the openvpn binary >> >>It doesn't. It depends on ordering >> >> openvpn --config myconfig.ovpn --something foo >> >>will make "--something foo" override any occurance of "--something" in >>the config file, because it's coming *later* >> >> openvpn --something foo --config myconfig.ovpn >> >>in this case, the config file will "win". >> >>Later occurances of the same option override prior occurances - which >>for obvious reasons does not work for "turn this on" flags with no >>parameter. >> >>gert > >So there is nothing that can be done? To clarify: It seems like there is a global conf file somewhere which is used by all instances of the openvpn service, but I am confused by the various statements on how to edit this file. Please: Exactly where is this file? ( /path/to/conffile ) The flag has to be removed from this very base file the services use... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, 22 Jan 2024 12:27:52 +0100, Gert Doering wrote: >Hi, > >On Mon, Jan 22, 2024 at 11:27:41AM +0100, Jochen Bern wrote: >> .02) OpenVPN prioritizes command line parameters over statements in config >> files on the theory that someone probably typed them in for *this* >> particular execution of the openvpn binary > >It doesn't. It depends on ordering > > openvpn --config myconfig.ovpn --something foo > >will make "--something foo" override any occurance of "--something" in >the config file, because it's coming *later* > > openvpn --something foo --config myconfig.ovpn > >in this case, the config file will "win". > >Later occurances of the same option override prior occurances - which >for obvious reasons does not work for "turn this on" flags with no >parameter. > >gert So there is nothing that can be done? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users