Re: [Openvpn-users] Critical OpenVPN Zero-Day Flaws Affecting Millions of Endpoints Across the Globe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Thursday, 16 May 2024 at 15:17, Gert Doering wrote: > Hi, > > On Thu, May 16, 2024 at 05:05:37PM +0300, M Mikky wrote: > > > It > > looks primarily like another attempt to combat the globally used OpenVPN, > > since Microsoft has its own relatively little-used VPN product. > > > Given that a Microsoft employee has worked with us to actually fix > the bugs, before disclosure, this is not a conspiracy by Microsoft to > make OpenVPN "look bad". It's just BlackHat marketing. > Given that Microsoft are fast approaching half a century of documented corporate abuse, it will take more than one act of "good will" to make even a scratch in their hard-fought and well-deserved [bad] reputation. This is not a "conspiracy theory", this is "Once bitten..." Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJmRiuCCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAATLwf+J2F7tcoihVFUaDNnGtew4qTwoWcOrnMANEbNi1vjRaK8jXH7 xSabhSGdo27eKJsR0mA1MTvRhE5EHBVdqqrw0leyykSv0QoZcJae0cuHUQ6t G2Oq5AzAC2eUPnSiaqxDk54x1cxjGebcm8jqMEtdAz8t1f8TbwqOErp7Bm7Y 39F0W5w1ZlLODI1NauMfEe7o37/yR7YEPiK2btaAzri7gt/iue7X7OqbkYTW aIaD8loLm8Mw/Asvk1qe1/qEYKFPVJH46Tx/JSNu0TMcFDZ85FKcF8vaWKlT eg5nV3qKyZkkMegH2w4pljM/M3Ho0wkFE01SgfEildJfoQ2AESVJsg== =T3ii -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Strange case of "MULTI: bad source address from client"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Thursday, 25 April 2024 at 08:51, Bruno Tréguier via Openvpn-users wrote: > Or am I > totally wrong about the possible cause? Yes, you are "totally wrong".. The packet is dropped because no route exists for the source address. You can configure the required route at the server end only. However, that has nothing to do with connectivity to the VPN or any expected traffic. This is all clearly explained in the OpenVPN Howto. FTR, the reason that the square brackets [] do not show information is to preserve Client privacy. HTH, tct > Thanks for any help! > > Best regards, > > Bruno -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJmLxJvCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB/EwgAnU9OYfnqrXm8IXkuMjW/m7x6/8dkngmLbQowj/XhUQiKSKYf NbcTLgophzKCkMMHRnmuGJ8d1gOkYjuHEl2nI5BmfmpJC6u5LAyOGsjsVd0v C0BY2G2dwgc0gmEntiOlpxB0TCxX/rfXGdJYZ3je8X6Mb5UFNw7gypW0S8Ds SaCwIpajBSXfe30DZtumSrlvSQ7e6V5/AClY+NWgTkTAseZLgmI/T+Is3WMf 7YSfM8ahfi5A/RJoYbcigXhERXs0OMLUVvl2KT04fM8j6AXfDO8W5kfQxW3O PQB7izaKcnolZng9fEs+4azvTiuJa4WjLoaRxmYiLWlBWZEbImIZ8Q== =0+kk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] key length
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Wednesday, 21 February 2024 at 14:39, Hans via Openvpn-users wrote: > Dear all, > > Last week i got a reminder, that (at least in Germany by the BSI ) the > minimum key-length has been changed to 3072 bits. > > And before someone is going to mention it: yes, I know that according to > NIST, 2K keys could be used until 2030 > > So, can Openvpn handle keys longer than 2K? > EasyRSA and OpenVPN work correctly with "upto and at least" 4096bit RSA keys. Other cryptographic key mechanisms may or may not require that many bits. HTH tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJl1jEGCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC+DwgAqCAyks8jd2rqFpEIpHOy0r3kUMZRXCJQsoSOvDxmn82nc06j eN+Q5Fzxe/4f37g/sFNwBlFxVWYT5iAZS1oSN12B/vxVNvDVbMmMx5bLb1ii reue11Xliyrj2amxJjALqS+JLmSGNeSWenbhVMGlD8a5bSvGS0YX3d8FJ+2+ 0FRiGCqyajPnpOqX0DdeLvJE5YlcbnbeCt2JCqgBi7MdZkSdLxb2x4hIWB+F 2pLkYKm2hOy9Ugd6ZtWISuIhKqz+W1FbmXESSLkx1rO+27FsHAhSPCSSspB/ 4PzkOpwyUkdF99NxLJmrwFTrc2z5jGx+cf/Yx/E+7X9FFKZUtUqZaA== =1+DS -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Client history
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Wednesday, 21 February 2024 at 06:59, Peter Davis via Openvpn-users wrote: > Hi, > I got the following error: > > # sh /etc/openvpn/scripts/script-events.sh > /etc/openvpn/scripts/script-events.sh: 6: [: ==: unexpected operator > /etc/openvpn/scripts/script-events.sh: 14: [: unexpected operator > /etc/openvpn/scripts/script-events.sh: 16: [: unexpected operator > The script requires a running openvpn server process to supply the $script_type value. HTH tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJl1gQ/CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADCAwf/cecZSp7CYJr2K74FMOFFaW7b4BiRwuZZhueDdCK6hnl+m/ea AG3P3lVh8dKiV2WjBT876V6U2/oqkUfjggKyXRi7nO1ZdV+zDG+qc9CLaR6G QyEDvBP54A4op7ZXtIklxswDC+pCP9NdVBu8l8WkPc1UU+vZXfvnBlSVFb2A 5WPjTKJKLH+nXA0+S20TV34+C3uyCWjMKeZfZo48PtnSPlOJ/tqbWPISdwth d8BSz6LoFxF00TLnrhUt0boEaXVL3bJnCL6D8baR5Dfd78FypTV0NJhwQbe9 nZTr2fw+UbQKX8I6sVQISOKcFHNAbaWOzykXdhS6u2VHfXfbDeXz5A== =ngS3 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Two questions about key generation for clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Monday, January 22nd, 2024 at 11:23 PM, David Sommerseth wrote: > On 21/01/2024 17:34, tincantech via Openvpn-users wrote: > > > > > Can I edit this file and remove the item --suppress-timestamps to possibly > > > enable the timestamps? And remove the machine-readable-output item in the > > > actual > > > service conf file? > > > Will that result in human-readable timestamps? > > > > The recommended method is to copy the file to /etc/systemd/system. > > > Actually, the preferred way is to use > > # systemctl edit openvpn-server@CONFIG_NAME > Yes, 'systemctl edit' is the preferred method, I should have mentioned that. Thank you David, regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrvuMCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAg0Af/fLEJOQ27NI+q2IVXZ1/OCsfNzgO174BbHr8sZK59uBkqjYuJ qp5icOoE32JzhbgljLpzctwmSAxrlhlPljsND3YaUgTiPkF1l8CDq02A+TWb ZD/9vITrp+FnvY7NFMvXRskB+/lSddqxL9Jgp4itLFFgWvidQefh7RsC13iC lvtIvfXkztlUZkNd0W27BAZdX4bzVQRn04kmVsn0kn2sMBApFetiP+lGhBUg yZvWNjEHVo4GMePMg4JkPoTweVwyfaTL9E8B+XP+Nzj/4pu/+EK9++l0ysFX AR6x8sqZBrkilIS6rqCZ0m2seO0dAA71BTAEejxl8CqrAOEk/xuzKQ== =VAzs -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Sunday, January 21st, 2024 at 9:17 PM, Gert Doering wrote: > Hi, > > On Sun, Jan 21, 2024 at 09:08:01PM +0100, Bo Berglund wrote: > > > Now I wonder if there is anything at all one can do on a server instance > > level > > to disable that setting such that the timestamps are returned to the > > logfiles? > > Like: > > "reset suppress-timestamps" > > or similar? > > > OpenVPN does not assume to be called from something that sets undesired > variables to be cleared again later on - which would make the config > handling even more complex than it is today. > > Systemd assumes that the world behaves like systemd developers think > it should, so "no timestamps" and "all logs go to the systemd journal". If --suppress-timestamps use is aimed at systemd then perhaps options --log and --log-append, which both ultimately bypass systemd-journald, are in use then they could reset the --suppress-timestamps flag on use. If --suppress-timestamps is used after all --log* options then it would be in effect, like other options, whereby "last option wins!". Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrZOECZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABThwgAot6aVv51vKQ+YGiZSbR3/seV9ZncnwVZvFDcQ/VuTxHneVTn VWT6O+eDWyc8mCB4L2vJ4+knPl7ejyphULFfch8VItCA+sFagWlY5vUzpBQW 4EWD9lKKnoonn2je7W4FvAGfgt/zMd9e3LRxkIpbxWwbFRgEdwfjLwCzRKSr P/mKDH5cTP6oUYhONHlMnhZcMzPBQ2O5fh/9lvKPlEwN+lv+zM/0c72wC/eK 2UHQ8wDOVQAwqhHOjlTShaRB7qNqIUlzKkmwvH1UDa7vHV+JIVl96Ul6Qnre fFQZZG1rTB7ENHuXLx7Qu82ZFlzVtMXQyDuC0x8ATo//6t9ld8xwbg== =xtJR -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. On Sunday, January 21st, 2024 at 8:08 PM, Bo Berglund wrote: > This is a discussion that started in another unrelated thread titled: > "Two questions about key generation for clients" > but which does not deal with that, so I am continuing separately here. > > The issue: > -- > Inside the globally set openvpn server configuration this item is defined: > --suppress-timestamps > > This means that all server instances will get this set even though it is not > in the instance's own conf file! > > Now I wonder if there is anything at all one can do on a server instance level > to disable that setting such that the timestamps are returned to the logfiles? > Like: > "reset suppress-timestamps" > or similar? At this time, once set, --suppress-timestamps cannot be cleared. I agree that this behavior can be frustrating. It is counter-intuitive for the server conf file to allow redirecting the log outside of systemd but not allow resetting --suppress-timestamps flag. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrX63CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAi2Qf/dmUJrgFkLbvnjH56qNocqQ7+sfZopQYgeVg/H8RgYTMCfJJ/ 5fHMlT7E7CSmOe1UV4azXtOv9UJoj+P3TGHIKIl8mJV21XjSBh+vwYacdDHG ee1gUeYXpC1Zz5/OKGA1sG8vpDJ/cl9SHIXBt7GrbVOB5CLj0raJYn/gZ7Yo HGSVHBDCquq/O73eGgeUynkr4kSyqXoVylqCZiSI2tdoCbz34X2w7tyuEGY9 1NoAlr2zuMXH0UV658hectWiBiEETpAikfoEc1rJz3tE9FNGKAdV+Hta0mKj C7qSP6752aKjFZh5QnBb/NHvK8brujwnt2wsWwE+yi0h2ScwHqrKCw== =FTn0 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Two questions about key generation for clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Sunday, January 21st, 2024 at 1:42 PM, Bo Berglund wrote: > I looked around and found this File: > > /lib/systemd/system/openvpn-server@.service That is the openvpn server unit file. > Can I edit this file and remove the item --suppress-timestamps to possibly > enable the timestamps? And remove the machine-readable-output item in the > actual > service conf file? > Will that result in human-readable timestamps? The recommended method is to copy the file to /etc/systemd/system. Then rename it to openvpn-server@${YOUR_SERVER_CONF_FILE_NAME}.service Then make your changes. "YOUR_SERVER_CONF_FILE_NAME" does not include the .conf file extension. Starting/stopping etc will then use the new file for that specific server and not change the upstream file. This means that your changes will not be over-written by package updates. > And why is there a --suppress-timestamps item in the > /lib/systemd/system/openvpn-server@.service file to begin with? Openvpn disables built-in timestamps and relies on systemd for time stamps. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrUd4CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADQNAf+PG4h+ccfa9ySVmMCjDeEq1ARf2mji+RMSCjbjDoPWpAuB9lW JHg5RVtPp0rGihYWPAQDoWghjYnXXRCKX0C5KS56LIuBzYGI4pNrjz1vPV16 XA3UbYiIHi8m+g+Mtz5UMDrsSDLZlBuW+Hoq0c1pwxa9DdXsDZcLd2NO4POf XHwrPZGkq2Vqa7Geigm581IsXvDSFFOXCe6IQHz1GSQJu34p98odE0zWxwsS vOpLutzr6hTGC7Ehyzlh5s6EaBuqxl7MOAlpYnZQ1zvq/VrODdFEtka2NQ61 YVUMf5olzn0lnI6bSsP2AxLucWuMzd6Kzi0QzD4guIlY1+4Jq4f41w== =7T+P -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Two questions about key generation for clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. On Saturday, January 20th, 2024 at 11:05 PM, tincantech via Openvpn-users wrote: > Hi, > > On Saturday, January 20th, 2024 at 6:57 PM, Bo Berglund bo.bergl...@gmail.com > wrote: > > > On Sat, 20 Jan 2024 18:41:17 +0100, Gert Doering g...@greenie.muc.de wrote: > > > > > > Is it possible to notify the previous user via email or SMS when another > > > > user connects to the server with the same key? > > > > > > Anything can be done via --client-connect / --client-disconnect scripts. > > > > Very interesting, I did not know about this > > > "Anything" is absolutely NOT correct, in this context. > > Certain things may (or may not) be achievable via --client-connect/disconnect. > > While the man page does not make this clear, I am quite certain that duplicate > client connections are dropped before --client-connect fires. > > Regards > tct > -- For posterity: Server log --verb 4: 2024-01-21 03:06:59 us=764987 10.1.101.36:33510 [tct.66.c.w10.dan] Peer Connection Initiated with [AF_INET]10.1.101.36:33510 2024-01-21 03:06:59 us=765204 MULTI: new connection by client 'tct.66.c.w10.dan' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. 2024-01-21 03:06:59 us=765233 MULTI_sva: pool returned IPv4=10.126.66.121, IPv6=(Not enabled) 2024-01-21 03:06:59 us=765311 OPTIONS IMPORT: reading client specific options from: tuns_12666u/CCD_subnet/tct.66.c.w10.dan TEST --client-connect script 'TEST --client-connect script' is the configure --client-connect script output. Feed the machine. tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrI2pCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABdtQf8Ddf5p2Y5p9eAvlvK+tjS14GyKs1XXzVs5zFKxPGzxCmwsr1o 815ocEj3WZSQDE23oHz4WaiCPZ3nxEGn8euCDrY3czC7IVHlkBEle8Ev/pfR WTGDnP/W9QnBdmBPP0trsjKfrg+nVfldCf/OY63Ji3E4a0IiQzAztUMVT6s4 VlZ7Y7qth/r8NVwwguXJRsS/8LOUxKRIBflTh/0HfFhEIMrHq2Xx3MplcHBD zWup0pFS2Tw02hpnFBZZdE5LX1vWHMYlZnRdf5/1JQsgB4IXghMnDsddjZCl Pxg8y/6iwPQZpWeztg778RJ4c6zWXkQcJFfmr/mGiGyCGcJQdGcgqw== =In9O -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Two questions about key generation for clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Saturday, January 20th, 2024 at 6:57 PM, Bo Berglund wrote: > On Sat, 20 Jan 2024 18:41:17 +0100, Gert Doering g...@greenie.muc.de wrote: > > > > Is it possible to notify the previous user via email or SMS when another > > > user connects to the server with the same key? > > > > Anything can be done via --client-connect / --client-disconnect scripts. > > > Very interesting, I did not know about this > "Anything" is absolutely NOT correct, in this context. Certain things may (or may not) be achievable via --client-connect/disconnect. While the man page does not make this clear, I am quite certain that duplicate client connections are dropped *before* --client-connect fires. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlrFGiCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAxeAgAgWvgokkWYJuUjInn3g0aERgiz0BBWmpSXTEPEzSPam+R+Cjk VhTEIR6xW434SeeWdmIeOmU7hVxDFNIMVuF2whWAalab0F6yAfHX+Ngr6a0w 8W2yQ5GfK3Bpsmk+lLU8D3wYalOdaZAXO/T+72vqzCem7lV18nQAQLBaogJG VUcHRPbJWUPx6AiQ3olml8Bp2QYzqTdB6vzUlxA39vllMu645Gp2ammFBEru 8ykUkJiGt2I7BAVETs/tH2YGF2U46O3UY31IYfcw0Bqwsuk6TP0pwPF4QicZ n7hQBdQDgDddELXa+zij0SjxK9NOk0BGRqW11fMDPzhJ4AccmadeBg== =mNfC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Limit the number of users based on the key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. On Monday, January 15th, 2024 at 4:40 PM, Gert Doering wrote: > Hi, > > On Mon, Jan 15, 2024 at 04:35:40PM +, Peter Davis wrote: > > > > If so, why is there a directory named "client" under /etc/openvpn/ > > directory? > The /etc/openvpn/client directory is intended for use of client openvpn configuration files. Specifically, for use with systemd. You will need to familiarise yourself with systemd to continue. I believe openvpn have a little systemd integration documentation, somewhere .. YMMV tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlpdyFCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABlWgf+I0M+ho/odiJY2+mthrINsjES++vF/tw8AuKs1ExYCpkfvqjH VZBACrT5J/BFu5wXnB7y9W0RoKuXYXMHk0Yqv8fQ54w7I/nT0BCLZRjZErMZ gOMEkpG3DmfVTsyfTxO7992aaar9IfUHyw9LqR4S6NS7N23iZksQrTpNoyOH RPZMUX8b8ovF4s7wgls5ransL4deiI+NBhXTDRkEslz1/jc3KNERvesByMqL V1jTiYiD7GWv6SvfN4oih1mdl3JTc+gNPFcmHzQes2g4QahzshQm4OuiNdiy xwiflEVqW/OEw2qDfb8UYVvfNdP/Kqxl1kp2KauH09ieseQpon8ANA== =OVMa -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] tls-crypt2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. On Monday, 8 January 2024 at 20:46, Antonio Quartulli wrote: > Hi, > > On 08/01/2024 21:34, Hans via Openvpn-users wrote: > > 1) how can I revoke a SINGLE client key (as this was suggested as a > > ‘new feature”) TLS-Crypt-V2 keys are not X509 keys and cannot be "revoked". > This is why you couldn't find any "how" on the Internet. You need to > build the logic by yourself. Alternatively, you can take a look at how Easy-TLS achieves this functionality: * https://github.com/TinCanTech/easy-tls Easy-TLS uses a disabled-list, to disable individual TLS-Crypt-V2 keys. HTH tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlnGuMCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABawAgAqkAIJUnJy3DLETSF+yOeRBfsmT89Lr3zjXHkfVPRx70Kk4ZV 2TNgJNuv6ojuovvl1ixt4ZDadVzQ3GXbPQ2VcJD/VQo6flGdaxeM8bsVM3c3 YsHTkU0DiSl/wij+k2OLYzinCC1I5hTxTN0rsyBnctoEcT7LFd4pv9ElrwrO hFRHg7yCeAzmuVjEZOimeLvecw/fU8GHMRRUXhcW1p31Hmwyc631wi0PF4kU hwLpa0FWI+D1tKNTu0e0F1w5QyVcqFCoMgpvNmzNOEFoxmBgW9Ov56pjGyde inzDFd1KclkkGuEAlJYtECw4UPTjGaK4pDAxzpysl5AErBiCwLJRkA== =rJE2 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. On Saturday, 6 January 2024 at 06:48, Peter Davis via Openvpn-users wrote: > Hello, > > I edited the vars file as below and created an OpenVPN server: > > > export KEY_COUNTRY="US"export KEY_PROVINCE="CA" > export KEY_CITY="NY" > export KEY_ORG="GreatCoder" > export KEY_EMAIL="ad...@greatcoder.xyz" > export KEY_OU="OpenVPN" > > > > Now I want to create another server and when I use the command "./easyrsa > init-pki", then the following message is displayed: > > > # ./easyrsa init-pki > WARNING!!! > > You are about to remove the EASYRSA_PKI at: > * /etc/openvpn/easy-rsa/pki > > and initialize a fresh PKI here. > > Type the word 'yes' to continue, or any other input to abort. > Confirm removal: > > All the servers I want to make are for one company. Can I ignore the above > message? > > > Thanks. No. You CAN NOT ignore the message. YMMV. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlmhfGCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACFrQgArmGGycbvnj88totXwDbR+N1QxjZgKoX1IFu6zlSj1ZBhMldL z9dsb9yALRptIQ7ihWPQWxWK0LvALZ9rnPAkbqBb6N2dmPSlqnrjfS8Y8/EK SwmMw5BeriiutJOBeL/TqWN79Oo9vR34p70C11y1h8GXLqlF75j9kdCDI2D8 KeQREl8ZGFvJzmLf/bLWMVr1nmDr8K5dGy7wXBtuooxilP33mYkgjRvHfK9a 7yYqrpeyrE6XE98wi58vX9Td7WPMZ1nMWgFVq2zDRbu7vHXF5vbfuDgl2ofb sKP7R4T0ASqFgfZVHloiaHOliN7dNdrYGmKygUTCUZy7y5z8DTYVEg== =fuoR -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I have a question about Easy-RSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. On Saturday, 6 January 2024 at 06:48, Peter Davis via Openvpn-users wrote: > Hello, > > I edited the vars file as below and created an OpenVPN server: > > > export KEY_COUNTRY="US"export KEY_PROVINCE="CA" > export KEY_CITY="NY" > export KEY_ORG="GreatCoder" > export KEY_EMAIL="ad...@greatcoder.xyz" > export KEY_OU="OpenVPN" > > > > Now I want to create another server and when I use the command "./easyrsa > init-pki", then the following message is displayed: > > > # ./easyrsa init-pki > WARNING!!! > > You are about to remove the EASYRSA_PKI at: > * /etc/openvpn/easy-rsa/pki > > and initialize a fresh PKI here. > > Type the word 'yes' to continue, or any other input to abort. > Confirm removal: > > All the servers I want to make are for one company. Can I ignore the above > message? > If you are accustomed to ignoring WARNINGS then I presume that you have suitable backups to recover from your mistakes. > > Thanks. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlmcCRCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABfeggAhkVJh4TemfQOf+hDSZLInfXxV49+8+Vu4XAR0Z7eiaIo1D3q 6SeJY9rix9PW10RfrYyTdm3obR9a+sdvNCHgS1wDVH1IA0/ImQzJXCCQUC/D 7omUYw/XcLeuBVBBQpaFavk3VBk9Vjtvr0UPb0VyYAPF7SiMIgvrrRFNfFzH 2/QXBp0ZP1k6hrkqPvQ9C6nh3fFXyAfg16wLvbIZGzKzBPbFC9bP7JK2KvLy 4QdTuromV/Di0Sn9yCjb6UuQjCAdyJ+xApmGCnb5+6xK65F1BBBZVeu90naX rJJHH9zNmEhqdo8Q5m88cTh6FTNirF4Z62K8LXMO07UTUEaf6CacJA== =ZuYi -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] easy-rsa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Friday, 29 December 2023 at 20:29, Richard Couture wrote: > I have totally reinitialized the system with new certs created by > easy-rsa v.3 and the results, though not successful are definately > better. you are missing --keepalive from your server config. Thus the time out. HTH -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlj0KQCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACX1wgAu6RRdrIYoSByNvyzohdL2ImVXfmMVg/Z1LlIviduyaCnZsqX r9kA0mA6xjCjtErk/lbYw4cFsM1xpaqLEiIbVy0IlLeh2PdSgiPcfqy5hcAU wU4daKN2UPaw24UgcZ8F4yRVWmUB5V3eSy9XzJnF7IxRW3FbWiMCTmul/F2a BE9LCYg+iiiOppTwj9cWbjWk14vW3X0VJbY2TwTvF1x+EhgII+nvVM/jETpv h+EFt8qTRIDoZQrxDSrzMFAdE09HXSeOCPUuiZqAZmDz02QziWfmDWXNVvsC fzK5EOGhHG77Wam57jl6HCMMl13daZrm60vMQflhNrTYnBXWGocZjw== =RjM7 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] easy-rsa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. On Thursday, 28 December 2023 at 04:15, Leroy Tennison via Openvpn-users wrote: > These are truly wild guesses but > All good advice. > On Wednesday, December 27, 2023 at 09:13:21 PM CST, Richard Couture > wrote: > The new server with Mageia 9 has installed > openvpn-2.5.9-1.mga9 > which is hasling me by not authenticating users What is "the reason" that users are not being authenticated ? See your logs at --verb 4 for full details. > My question is > > Is there some trick to using easy-rsa with openvpn 2.5.9 ? There is no trick. If there is a problem with using `easyrsa` then please give us details of that. > I DID recreate ALL certs; CA, Client, dh2048 with this easy-rsa and I > suspect that this might be a problem... I suspect that you did this without understanding the consequences. > > Any advice as to whether or not I can/should use easy-rsa with 2.5 and > reference to any tricks that might be needed is greatly appreciated No tricks required. Always remember to keep backups of things you decide to change. Regards, -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJljWkwCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB4/Af/TaSGEUA8LaeGdkDJ668wbVenWMnVkURVkHFD6iCN1AmXR9UY oMrf5ZyYIneC2xxeDfqJM3ztLHl0C9Xlti/3PndrZNjBXz3EpHg/BiqBo46i n/6yk6n25gk6EogcEqOvfIboessp1orC2m66wLkhiGxdAvdOZ937y83a/sEt 2di7ploBFWT2YX2TSX+iC5jIxTsTyPuqefEW5zwvA4UWFQnbOfMy1q3KlrqK jZRzzUYivgYKP1Zut2LKcwXC9Drk38GQI3Hg3d1/RdtODtsEkJjM/Jj87rO+ n0rytxczaQF5QQHjMHYx3KFLeyUFqMWOcB1Ol9VHiYt/p+TpaisoTw== =Z1c1 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Also: https://openvpn.net/community-resources/#books On Monday, 11 December 2023 at 18:25, tincantech wrote: > I believe the correct answer here is: > OpenVPN does not provide a PDF form of the manual. > > Which is a practical decision. > > HTH > -- > > > > Sent with Proton Mail secure email. > > On Monday, 11 December 2023 at 18:13, Hans via Openvpn-users > wrote: > > > > > > > > > > > > > > From: "Antonio Quartulli" > > > Date: Monday, 11 December 2023 at 12:02:33 > > > To: "Jason Long" , "Tincantech via Openvpn-users" > > > > > > Subject: Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF > > > > > > Hi, > > > > > > On 11/12/2023 11:15, Jason Long via Openvpn-users wrote: > > > > Hello, > > > > How can I download the Reference manual for OpenVPN 2.6 > > > > (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) > > > > as a PDF file? > > > > > > maybe you could open the manpage at this link: > > > > > > https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html > > > > > > and print it is using the "Save as PDF" virtual printer? > > > > > > Cheers, > > > > > > -- > > > Antonio Quartulli > > > > > > > > > ___ > > > > Those reference manuals contain code examples, that are utterly unreadable. > > Light shade of grey font. > > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u > > niet de geadresseerde bent of dit bericht abusievelijk aan u is > > toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht > > te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van > > welke aard ook, die verband houdt met risico's verbonden aan het > > elektronisch verzenden van berichten. > > > > This message may contain information that is not intended for you. If you > > are not the addressee or if this message was sent to you by mistake, you > > are requested to inform the sender and delete the message. The State > > accepts no liability for damage of any kind resulting from the risks > > inherent in the electronic transmission of messages. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJld1V5CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADPwgf9EqwATVM/s4POSXufjrW5pypmrtuqMsIT+AXbrY2edLuVXOVJ 2aA+TKmGoNFiN6phJZoz5vYkCZajmiS5TSCWR7L/u/FIWHJ71HTWdLfEM44j nuFFwE+IFBtYmOOCrFkhpU+fc8gDLzWqiz5NcTHn1BvJISPk6dj8s/SOkpXS tr7mKSsxCxB9W8JiI/dN8b8pn9k/QgMan6pF8DeoLl6os1CJ1a9XWoN4+uuS 2TT9Q1T3W5f8R71KxscqsN7FeypysT5jPp9p7A2G19nR7HvEP9MHc2pwZ+xg dK9WUwz0CHQO4eyg23i/FwLrKm+8+ffTptnEOy1L44t5eJeZdsKS4A== =1JU8 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I believe the correct answer here is: OpenVPN does not provide a PDF form of the manual. Which is a practical decision. HTH -- Sent with Proton Mail secure email. On Monday, 11 December 2023 at 18:13, Hans via Openvpn-users wrote: > > > > > > > From: "Antonio Quartulli" > > Date: Monday, 11 December 2023 at 12:02:33 > > To: "Jason Long" , "Tincantech via Openvpn-users" > > > > Subject: Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF > > > > Hi, > > > > On 11/12/2023 11:15, Jason Long via Openvpn-users wrote: > > > Hello, > > > How can I download the Reference manual for OpenVPN 2.6 > > > (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) > > > as a PDF file? > > > > maybe you could open the manpage at this link: > > > > https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html > > > > and print it is using the "Save as PDF" virtual printer? > > > > Cheers, > > > > -- > > Antonio Quartulli > > > > > > ___ > > Those reference manuals contain code examples, that are utterly unreadable. > Light shade of grey font. > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt > u verzocht dat aan de afzender te melden en het bericht te verwijderen. De > Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die > verband houdt met risico's verbonden aan het elektronisch verzenden van > berichten. > > This message may contain information that is not intended for you. If you are > not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJld1QOCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAKHggAi0piCNmQfhXV28L+B9kbyNrQawl1958Ll30QdtgMmiCYZYFr UW/19wJdWWVxuk1vrt7BKWDOJm4qDS8CJ/4Lny7IMP/khppoB1sPPggPZ2/M 6Av7zgaibS8Wixt1QEzJDo0YkEmQnkB07op8ZRwAvusJygHO0pWU48M2AqTh 0qsssqxjtTOiOz9OQsPT6yqXE2eN4XnSMIIz4pkgAiH5HdVjJTy0paTOshrP jkCwgE9s+seMhTDqlP+Q+GPE9nhkGiT3WZsLakP/0eW/UrV99j7vaZTHA+me cW8MsD6V8aaUZtic/COLdZtiXy4UupS5MKeSxhkskQfOn9MpSCObrQ== =U+bO -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue with "up" and "down" script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 And, as ever, check your log files. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlT4J9CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA9uwgAvcj1NP1FJ0CBeowWL+63eZ7IUa7c6uypxIg/kvQ74Crv0cAc 1qxoWYiM/Mp7kVfEn+PWmRLgAT7d7ScqA0Lh9cS0NPxQbZDD3svLGvyD5soi eW5ij/8GhCrHbXFRPUcZDwTzosjH6zgPAtqZjOZRFQMD1cUMAkNtMMjP3U4i YWCjMIVR+SVMlKCg97kejpCpIc8M5117YNkZWA8KGS9hrSvbBPIV5d51KGC+ cQPxIxlS/E6/DtCAiKwJDqiY0cZ0Bi5W1f0xglkKWA3f939TH0o7ot+iDrIk KJXJzqhoQemzz4QI1FGEinprOpXXUvvkIcxZ3hi1j2ajk4bQfspd/A== =KVYm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue with "up" and "down" script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, for the record, OpenVPN does not set $PATH when executing scripts. It looks like you have partially fixed this with use of `/usr/bin/echo` but not done the same for `/usr/bin/resolvectl`. You can set your expected $PATH for the script or call programs by absolute PATH. You may also find this useful: https://github.com/jonathanio/update-systemd-resolved/ HTH -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlT4IvCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA4pAf7BOk2wJjfjbNGjfCc6N6fJbTX/8UbIXoTBDKRyg9oDKlb5Zyq nFAbBislW1vzp8UhyWFulGKcRF4ClXywDu+pblUyKWdj0g6W3ftocLZuXQBb EuG+qIwAj/6yHMGRDJK4J7fWs+GzT1RqpPiKT74vtp2I+R6qz4I2U/vYV3lt Y/d1Xyl3TqMoJkmB3u71soIkSkmBUvlyjhWM0cUV7UT8uYpOR1yp7bGIKs80 Kcabv3aKNbSww0+NZC1LMDfmVfNsC1+yBTnl3eiYtZyH83fnUz4za90useRU qLqn07zXAXfJ9fzpTA9mq6d3UoVOoo/fjMb03YegbCkEWcrNRQzy/A== =bI2R -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Tuesday, 7 November 2023 at 05:27, Jason Long wrote: > > Hello, > I added the following line to the server.conf file: > > push "route 172.20.0.0 255.255.255.0" > > Then, I restarted the OpenVPN service: > > # systemctl restart openvpn > > But, I can't ping computers on the internal network by name. "by name" requires DNS, which is beyond the scope here. > > I have some questions about the following two lines: > > 1- Next, you must set up a route on the server-side LAN gateway to route the > VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary > if the OpenVPN server and the LAN gateway are different machines). > > Should I write the routing table on the OpenVPN server? If you do not understand how to configure routing then you can use iptables to do masquerading. > > > 2- Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN > server machine. > > I have enabled IP forwarding on the server. What is TUN/TAP forwarding? Forwarding TAP/TUN means configuring your firewall to allow VPN traffic to flow. -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlTB4YCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB7+Af/SJuRoNPhYraQo1k3NPVXEmuXyUsL5UJKWf4HX8ca7qGWtnyC MutRP9Vn8Mo7gj1Wdy9G0htb86XTD3GuwTCYSuZoasxFyrNvbyShYCyRFGvD a9+X8WMBeycj2PcHyNK04TsVYsYYnpaceNnfVIF2d+1E5P1xcIR70O/lJdHX 0xNW6fgn/v7nmFaa4nj3k8+HYObvN640VlSLVctEXOhD+dDrQdhwMxJnpbkd ycX+fNXYhsu8RfuTbPPLg5E0oIRFg3DRCNh0M/noSP5SpRrIsaxQACSxKQuD CBP7C2xjBVWo/Mc2t7lBAbrpUeYTc6xq47SC1lMAj+HXvEuWH17eSg== =A1RG -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Monday, November 6th, 2023 at 12:26, Jason Long wrote: > > Hello, > Thank you so much for your reply. > Some lines of my server.conf file are: > > push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 172.20.1.2" > push "dhcp-option DNS 172.20.1.7" > topology subnet > > > Should I add the following line in my client configuration file: > > redirect-gateway def1 bypass-dns > > And add the following line to my server configuration file: > > pull-filter ignore 'redirect-gateway*' > > > Right? No, --pull-filter is a client option, so is used by the client. However, because you are pushing DNS servers from the server, I will assume that 172.20.1.0/24 is a subnet on the server side of the VPN; In which case you need to read the Howto section which explains "Expanding the scope of the VPN ": https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet You do not need to use "redirect-gateway" or "pull-filter" on the client side at all. -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlSOjyCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACXoAf/dw5/HO5VILQ8WVdKqsJl+9qEqIz9Ly1ykUQIEyy8Dt0Y/FmH +pp9uyyMN9HroHCvmtxi0gEr2/WE43qte8T2OQ62XmgZKhYRG1HQ31by/pdP 5xZhKJlbZt16ZA2Hqlub8GnDYdZLUTE1LLPJqOrh3Ocr6KSL7z4vXKRE6ziw zvmC44yk/t658irxC9+aG8HHDAVMLfwc7RBIWqxjZyCze4o07zVqf3ZdPBJ2 XOkN79hWdRgxZrnA6wTgPqz3s6PxJqJ5HpRYpoXyFQdig25O6wuBqskAGN/T JQkfl5UdQ6aQzFuqTJl51rtoxL+kWVR5Z97hQ8Un8KRJi7ICBK0eTw== =1bvO -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Your DNS server is non-local and you are most likely redirecting your gateway to the VPN. So, DNS packets for your DNS server are set into the tunnel and are finally dropped by the server gateway. Openvpn has option : '--redirect-gateway bypass-dns' You could try that by using: redirect-gateway def1 bypass-dns in your client configuration file. You will probably also need to ignore the server pushed redirect-gateway by using: pull-filter ignore 'redirect-gateway*' Try experimenting with that and test if your DNS is then reachable, while the VPN is up. HTH -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlRk6TCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADYHAgArJRKp+KNfCoDAca9BVi6PxgwEW9Yqgj5sXtUORpzI0G0ypom lFgObi/As/sOOt2Zb16DOPj+rA7I4SAfSN/KtLUaZu/RoFNMXELOjsUxRY5t gMp7BfFIeOyaNvFNWTgjEJ7O0xPdBFmdJb3eP6EBwjzJSCd3EEF9I5K8oE1i Qd0VzifSeIO7XArfHesEqDMW1XvIOaPaHPle54zqwqp5h2zqiwnq2VgzMl8Y QjnxtmDcg8G2nFDhnZcPQjFs7Lcv15FsMQ96AABE6MH2nA3eUQWipcaNZw4b OYXrB4+AEKP4u0WQg6/3GgkpjDQaZVd51BXVqa1kyAMSXprpFvkq3Q== =phoQ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, October 20th, 2023 at 23:39, Bo Berglund wrote: > On Fri, 20 Oct 2023 22:12:18 +0200, Antonio Quartulli a...@unstable.cc wrote: > > > Hi, > > > > On 20/10/2023 21:35, Bo Berglund wrote: > > > > > What have I missed? > > > > Breaking your setup in mysterious ways is not going to help :-) > > > > As Gert pointed out, what you want to achieve requires configuring the > > firewall to prevent access to the LAN subnet. I also pointed that out ;-) > > So you mean using the same service conf file as for the web + LAN operation, > but > with a different tunnel subnet and different port? > > That would allow LAN access. This makes no sense. FWIW, openvpn does not control your firewall or network or do magic. It is a secure tunnel between peers. All the rest is clever tricks. > > Then using IPTABLES blocking sucg LAN access for that tunnel range. > > I will make some new tests later and see if that is working. > > I am worried that if the destination happens to be the gateway to the > internet, > like it would when browsing via the tunnel, will it be allowed??? This is a case of not understanding how IP works. For example; if you want to browse the Openvpn Forum, you will send packets to 3.72.228.171, not your local router address. The same is true for tunneling your internet browsing. HTH -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMw32CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADwggf/YKg/0puK6EcrhAdXpiskP3e1jGq48aFaGTWIBvLnc6zv9x0J 5mMH0hrZg1Enpf1f6G8deEhHW2rEjefFarvUeChLf1OsD/n1VWwdqLJo9HMD aCrVdyBf6qdHXVb7tORkNUefdp6/Ar01VUdkpEBwgUe/WIhdstUzD4J5xxMJ CbbyYZ5FwFW3fN0Cq9nGA0EvbKQsSEaAmCSdYv+B/q7baBR8kJq9AcRmwNbT R01WESj+tV869Onqsrfasvk4GX6+jBTvbuXFbtNQLrfx9c9Ia+82t4Vv6B/t uxEmSifIceb1OEJ+ShBhtWGprBultOYQDzHHm3Qn7aVYj50eJ9B3sQ== =7UJt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, October 20th, 2023 at 21:17, Bo Berglund wrote: > On Fri, 20 Oct 2023 15:35:30 -0400, Bo Berglund bo.bergl...@gmail.com wrote: > > > On Thu, 19 Oct 2023 18:11:48 -0400, Bo Berglund bo.bergl...@gmail.com wrote: > > > > > I.e. is it enough to remove the route into the local LAN for this to be > > > blocked > > > and only allowing web access forwarding? No. In this case --redirect-gateway has the same effect as pushing a route for the server LAN. Access to the Server LAN must be controlled via the firewall. Because, even if the server does not push --redirect-gateway or --route, the client can still install these routes via the client config, or manually .. > > > > The log seems to show a successful connection but then it spits out this > > afterwards: > > > > BosseAtJenny/90.:3626 PUSH: Received control message: 'PUSH_REQUEST' > > BosseAtJenny/90.:3626 MULTI: bad source address from client > > [100.85.129.161], > > packet dropped > > BosseAtJenny/90.***:3626 MULTI: bad source address from client > > [100.85.129.161], > > packet dropped These are packets from a client, with an IP that is unknown the the server. You should recognise the IP address, otherwise, you may have some rogue traffic on your client network. If you recognise the IP then you would use --iroute to enable or disabled handling that traffic. > Forgot to say that I added the rule for this server so iptables-save reports: > *nat > :PREROUTING ACCEPT [49428:11412761] > :INPUT ACCEPT [49214:11396939] > :OUTPUT ACCEPT [2047:130347] > :POSTROUTING ACCEPT [2047:130347] > -A POSTROUTING -s 10.13.143.0/24 -j MASQUERADE > -A POSTROUTING -s 10.13.149.0/24 -j MASQUERADE > > Which I assumed was needed in order to make the routing out onto the web to > happen. > 143 is for web+lan (working) and 149 for webonly (failing) If the behaviour is different then something else could be setup wrong, or maybe you have just run out of patience .. hard to say. Do you understand what MASQUERADE does ? If not then you really should, by now .. Also, you have not installed any rules to control access to your Server LAN. Ask one question at a time and then read and understand the answers. HTH -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMweLCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB9AAf/QmPOGWrjfkZHYQs4CNnd4YyBjG0/26DPVRR3t4TwrlA56eRx DyUYylfJbO4Ztv56PP8OveblyEF58aIj6I1FDJc8+KQq/ivSHSbIB2JKmW1F FGIYmoTfltWjuO5Q2CzAmMG1cy1xZ/QEMAfGKUSAAFjB+ZTbcHoYN5dz3icr DDvF2ppszXqQ3qjcasoZz9W82ARul8z/khkU8uuY198G0AgKpSKd7DYUeWRR Orx1Iy6r4KxDa3vmWP3cNwtt0mYS3Xe5sEaFgj2EUReH8P+tJuY6F2cNSWPM GmgzFdc4jfPI3yLROGHyS5U0wFYb9ex6xs+iAY2xqivrPjq4Zb0c9Q== =F7fj -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, October 20th, 2023 at 00:31, Bo Berglund wrote: > I have done that previously using ccd commands to assign a user a specific IP > address and then block that address in IPTABLEWS from reaching the LAN (except > the gateway of course). You do not need to make an exception for the Server LAN gateway. Your client gateway has been redirected to the Server IP, not the Server GW IP. In your case, the iptables rule to block the entire Server LAN is what you need. This still allows clientinternet traffic to flow. enjoy! -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMdYuCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA0Bgf9EsIHcCKXSoJWTzGV6SWdymQGl0oQSWz9Ym4gjHE41CO3w6Eb IBtObMizt4hoPV6gIlvVKwvYYeXA82EG57Hk3O4anN9coQA8h55O51mCf4zE Dx9qk66z1LyZmpRGxqVW0/c+N7s1i4uC2APLp/18VychKBciMG2px7PBCOWD PaguX9BUPUicQGcoJoADiaWLEp/VF6dEaRuISqo/7KUTYRgQTzM5wCCIf6z/ xnzo7JMnL73BBLuBQ937cCVjWNsDdqO9wAz5BLFyFwWCaVtW7X7bdslWWSN+ CFYTSsMP2FltXVujx94I7+8DNhSeuNF7BHj62abRhKyaiS7F9R+lfA== =Ufie -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, October 20th, 2023 at 00:31, Bo Berglund wrote: > On Thu, 19 Oct 2023 22:52:12 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > I think I have misunderstood above. > > > > You want to take away client access to the server LAN. > > > Yes, I want these clients to only use the VPN server as a way to reach the > Internet from anothere lo0cation than their own. But not allowing them to > reach > into the VPN server's loacal LAN. > > That must be done with the server firewall. > > eg: block VPN IPs from sending to the server LAN. > > > THat's IPTABLES, right? > Yes, something along the lines of: iptables -A FORWARD -s $vpn_ip/$mask -d $srv_lan_ip/$mask -j DROP HTH -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMcAXCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAD+PQf/RqRMMMZ7pBlKeXM1hyk41/PyoD0T5wL5kjksiveBbr+N4SkA +OlKJg9s/oUGE8CnMFetE7cNrGpKqWxz0dnjkQ55LpVdyJtZUQruAossV158 8uMudv9k1RbqsQgjxrkJ1W5XmxGf375exsdo38abd5cKWZJh4OMuk/hw91Kg 8aNHrIAWNlXpY1u9IErrJ2tTa4to/XL8KPmtYkkiFscrLiI8K0KvftID8bG0 CQg5/RF8gBF/7qTWdCp77IIXs8EtMgt8c99YVVtW1xvKQNTcUUWyDL9nrsh9 vfqoUrJCoYtaQsEqPifQzZGx0ewAmM3Xub3NPHDwaZcru2fKQAhwAw== =KVBZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, October 19th, 2023 at 23:39, tincantech via Openvpn-users wrote: > Hi, > > --- Original Message --- > On Thursday, October 19th, 2023 at 23:11, Bo Berglund bo.bergl...@gmail.com > wrote: > > > > > > Now I would like to add one more type, web-only: > > 4 - Clent can only access the web through the server side gateway but not > > the > > local LAN > > > > What is the simplest way to accomplish this? > > > > > > I.e. is it enough to remove the route into the local LAN for this to be > > blocked > > and only allowing web access forwarding? > > > This sounds like you want the --redirect-gateway flag 'block-local'. eg: > `redirect-gateway def1 block-local` > > Does that work for you ? I think I have misunderstood above. You want to take away client access to the server LAN. That must be done with the server firewall. eg: block VPN IPs from sending to the server LAN. HTH -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMbMJCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACJzwf/V1Ymk7S/a85/gkN80me2ltL5jkK+OEje3pphSFxu/0wQCrgs laU7JObgm3boZ/NvrLUQCsYCZDGK3bswaAUM1sapAhdmxj9FKf3Ii/teMj6G /Zj1M5ny4rsJjaEZ6xd7E4eo+Dhis/ll28jdbgxCejuKbSsIcPPxwS3iBWYe m8ABEjUXOW7eMP0pqPJKQVYbFsrpQ/MBv45kUQIjX9uPtl+VacXaJVWmXw2A 8hsUKoO+jtwCpAraPP30K2nMR0r8KWzVFIL89zdc0GGcUq99gppDQQWa4ioy BJwcJCoHsEbhRpeefemsD0kFK8s4cZkSGKJZCNgun34bntuandy9rQ== =LoEv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OPenVPN 2.5 - How to allow client access to the web but not to the local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, October 19th, 2023 at 23:11, Bo Berglund wrote: > Now I would like to add one more type, web-only: > 4 - Clent can only access the web through the server side gateway but not the > local LAN > > What is the simplest way to accomplish this? > I.e. is it enough to remove the route into the local LAN for this to be > blocked > and only allowing web access forwarding? This sounds like you want the --redirect-gateway flag 'block-local'. eg: `redirect-gateway def1 block-local` Does that work for you ? -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlMbAICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABK6Af/V6vlfNr5gUpScC2hraS5nN3ODVbAPowOE9jwA6r50PQOzeLE i6QmiwtNnjv/4bfrNhlqL3llCc0TLIQFw34w9y1OY3jsmOjcDGdCoe2APUfQ xyztL5TQfzv/hcej28c4XN/qRXMd77jCkQ8v6hvot7gTkLtC6urrZnMs0MCT ANqotVF6uIzFxeZ4PSpbrJydWyCEbxw/UnDmqDh6k4Suukysaxh+DKy6cqqm FQIQmNJ1s139xtyv/58/lGPbeAnVFXaHcuirg0E+yHwY0/jzgvicgePasuVg D0wdyUkC2JEO4654/aIRUQ2vfDuCuAW6plB+qTkWTMSBku/yfeUknA== =79sV -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A brief and useful example: I choose to use elliptic curve ED448. This can be set in the `vars` file using set_var EASYRSA_ALGOed set_var EASYRSA_CURVE ed448 Or by command line: easyrsa --use-algo=ed --curve=ed448 --nopass --days=1 build-ca Continue to use those options on the command line for subsequent commands. Choose --days to serve your needs. I use --nopass for ease only, you can use passwords as you choose. Note; Command `init-pki` does not effect the crypto that will be used. The resulting PKI can be used along side OpenVPN option --tls-groups X448. Use the PKI from EasyRSA, along with --tls-groups option on the server side. Enjoy, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIa36CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADa9gf8C6TJp3v8vtqPCSypca1pK/NuyvM5T1BjzJgqWqgTiqb5QP5H aRcaiKb0WHMwGTt4rDOGz/sWnn6Wo7DqC76rFpn08luUXS2XkeWcmQ9Ro1Z4 6mbUSYJFwaRAW9eE85mDb7CT+RsnbaDUYjL64c5G/otia3LMwFgp5vKH21D8 wuiKTU26tPWoUd2oWZf9lDagaInbnXbXSqFcp585vSHvyRMwt9kM/i1ASr0p GQ/B/1ymduMNjI+35bvZODiQdz1AParsuznDArmvpFKTXylWN2gb3eqztj+E 5UPtiPo/HlITxyQ5aFpjNVcF5B68KTVbRFHT88sofVuJsmAeEq+cIA== =4f/t -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This may be of use; The default user `vars` file can be created with command: * `easyrsa make-vars > ./vars` Redirect `./vars` to your preferred location. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIZqSCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABS3gf+PGzCwzZJdg8qFPJOGHxMxQ8IWjKcqbjHJc3hOlhbUjJGphCt wJxht3u70YTkRyFS2JVF+eQAHCtdAKe8QeVCZ3DKUywlYzrEIZzKXaM/Y0hg r9yvyDiqaxsX8xI0TTPhH9yMw8/HUbIevGnmsq1as/a8quq5HWc66PTxxrSA xPJg7P7HkVocIa/aV16mhrg1BYOaztHNe5gIN4W/SjQ9Ltglr8rrKVUiG7f7 tgt11QUoXAIOpRy4l/bZOF3O0sXwxp19xw499uqJiv8x1leUGt5IK/mM6IE7 +8s1sOlSm1RuMKyhFWU49T/2tbIaSHiTTcS0b8Xaw728PAhovpEqEA== =zkTg -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Easy-RSA v3.1.7 pre-release notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello OpenVPN Users, --- Original Message --- On Saturday, October 7th, 2023 at 14:27, tincantech via Openvpn-users wrote: > Note: The next release of Easy-RSA will not complain about the location > of the vars file. Until then, you can simply ignore the message. If all goes well then Easy-RSA version 3.1.7 will be released on 2023/10/13. This will, hopefully, be the exact same script as is current master branch. You can try `easyrsa` from: * https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/easyrsa This script should run without the need for any further packaging. Please test this script and report any and all problems either here on the ML or to https://github.com/OpenVPN/easy-rsa/issues All commands are documented as follows: * `easyrsa` lists all the major commands, plus some helpful information. * `easyrsa help ` shows detailed help for each `` * `easyrsa help options` lists all the available options, with a short description. * `easyrsa help more` lists some extra commands. I am happy to answer questions about EasyRSA, prior to this major release. You can also use this thread for follow-up issues, once the release has been published. Thank you for your help and any feedback, kind regards, Richard. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIZGeCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABzFQgAnTQS/oUfhFiUhXW+Tt1Y3XrEavfb60HLKQBxpFE8G/WlLVrU nLAZ4qkm8KIp3nIzOjcQLoDOe3LTS/iw/axrIY9e3kcv345sTG4LdB+fE7wh T9SbM0rLbNo/J0W0wlw2QB8LkkLKk6q4loAQjvmw5VkZWITzqKEuN/WAUrQD e3KcCNOy62tLakrXQQoN1J12anXN2sSNuiGABnXk2YFveljvhekfps20SWos G29o6GpRyxrPFEtKRK9Xgm5WLftMr3+ClOzOhc/GEhFLML7+JZax5VQ6X09C JiARZ0PiXgfPuu5Nz/4cO8vw7mZYwyT6H3FgjT1gxfRxHSAoB+a5fA== =6SgJ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Using easyrsa3 - how to set longer expiration than 10 years?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Saturday, October 7th, 2023 at 07:20, Bo Berglund wrote: > On Fri, 06 Oct 2023 20:59:48 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > On Friday, October 6th, 2023 at 21:17, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > In easyrsa2 one could enter a longer expiration than 3650 days by editing > > > the > > > vars file and changing these entries > > > > > > export CA_EXPIRE=3650 > > > export KEY_EXPIRE=3650 > > > > > > to a different value like 7300 (20 years). > > > > > > How is it done correctly using easyrsa3? > > > > > > Like this? > > > > > > - rename vars.example to vars > > > - Activate lines and values: > > > set_var EASYRSA_CA_EXPIRE 7300 > > > set_var EASYRSA_CERT_EXPIRE 7200 > > > > That will also set standard certificate expiry to 7200 days. > > > > For the CA only, you could use `easyrsa --days=7300 build-ca` > > > > Option --days can be used by any command that require an expiration date. > > > It turned out that when I ran the initial > > easyrsa init-pki > > it complained about me having modified vars.example and created a vars file... > So I reverted those changes and ran the command again. > This produced a pki dir where there was a vars file, which seems to be the > one I > can edit to change the expiration. > I did not want to run init-pki until I had changed the expiration since I did > not know what could be changed afterwards... > > Now OK after editing the vars file there. > > > > I have noted that these two have defaults of 3650 and 825 days > > > respectively, > > > what is the reason for that and will my suggested expirations above not > > > work? > > > > They apply to different certificates, as shown above. > > > Yes, I understand that but I wondered why there was such a big difference in > expiration in the default for these two... Generally accepted standards. Note: The next release of Easy-RSA will not complain about the location of the vars file. Until then, you can simply ignore the message. > > > Additional question: > > This is the first device on which I install OpenVPN using easyrsa3. > Earlier some months ago I migrated from easyrsa2 to easyrsa3 on existing > servers. And that was successful with your help after fixing some problems > with > the migration function. > I wrote a client creation script that runs the full process of generating the > client OVPN file and it works just fine. > > Now I am trying to set up a new server for my daughter and I have run into a > problem of understanding again > > My server.conf files contain references to cryptography like shown below and I > have found the easyrsa3 locations for the new server after running these > creation commands from earlier discussions: > > easyrsa --nopass build-ca (enter the CN JennyVPN when asked) > easyrsa --nopass build-server-full JennyVPN > openvpn --genkey tls-crypt tls-crypt.key > > dh /etc/openvpn/keys/dh2048.pem ? > tls-auth /etc/openvpn/keys/ta.key 0 ? > > Where can I find the two missing files for dh and tls-auth? > Or have I misunderstood the procedure? And --tls-crypt ... As for *your* procedure, I recommend you review your apparent use of --tls-auth verses --tls-crypt. Probably, check out the OpenVPN manual. Use of these two keys is mutually exclusive. DH param file: `easyrsa gen-dh` regards > > TIA > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIVymCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC/Igf+PZYIpmfAxL9dkncDnTCUEMYCq7VKrAyWLRi4JrEIt0fjI2/u OgTnzAbLL4kdepEqOqeIf4tYrpER4PHl3fYZj9HT2CXpstSc28PJYHMQuLHk HduCPWOV2uMUDEFbY/dGLbWwKGMbj5gSDyIab0+CTXALdHYLAPHuHxF4yFaO Ve3hSz/vszMQKmq2NpOFC0N2c/QMAOk034chanv4XtmFGWoFe4+qJbzW3Yoh Gzs6Z6o33ILZc6L7pgqCeyxscAzU+JjLeLC+5s40PqkZC/moLxexpyY/PwGr YiJAo+sL3xM3WnqhZCtLw7QQSKX0XU60/ePiDDaXQdOj4fAPiwVwQw== =HlQT -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Using easyrsa3 - how to set longer expiration than 10 years?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Friday, October 6th, 2023 at 21:17, Bo Berglund wrote: > In easyrsa2 one could enter a longer expiration than 3650 days by editing the > vars file and changing these entries > > export CA_EXPIRE=3650 > export KEY_EXPIRE=3650 > > to a different value like 7300 (20 years). > > How is it done correctly using easyrsa3? > > Like this? > > - rename vars.example to vars > - Activate lines and values: > set_var EASYRSA_CA_EXPIRE 7300 > set_var EASYRSA_CERT_EXPIRE 7200 That will also set standard certificate expiry to 7200 days. For the CA only, you could use `easyrsa --days=7300 build-ca` Option --days can be used by any command that require an expiration date. > I have noted that these two have defaults of 3650 and 825 days respectively, > what is the reason for that and will my suggested expirations above not work? They apply to different certificates, as shown above. Also documented in vars.example: # In how many days should the root CA key expire? # #set_var EASYRSA_CA_EXPIRE 3650 # In how many days should certificates expire? # #set_var EASYRSA_CERT_EXPIRE825 HTH -- > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlIHUyCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACG+Af/cynC8jDiQLyy4vOw3CcObPqMd2qUr2N+1EOPjVun4CpPYDSs 0qc6POP4cLOCBQgkXCpuoG+BCgkql+pqHkQOj1PheiulczZjn6u0QmePc+9O fL5SpayRSjNZL8KIobg1wzYximXQL+yh9cY00lRGFIvOE6AZDrL6dMwKayAZ +5pQ2vy6GD67uZDyNFyekInsAsnVPRyZPPbtDzo0Abfk0tDcaIB5Ppg5ds6u L7K7qW7v+NaJTvrAGeRIoS6t3d7VBNNZu+dUoPgfKCBOCqecvVc/zw8kKKoh DQvsktWZjbZ98zCsr0ZBpj6xDKHWjxBVWEh2BRIE7wRZcHfje6tJgQ== =PxZy -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Sunday, September 3rd, 2023 at 15:06, Bruno Tréguier via Openvpn-users wrote: > Le 03/09/2023 à 15:23, Jason Long a écrit : > > > Hello, > > As I said, I have some scenario and I want to learn more. Translation: "I don't read documentation..." Response: I don't retype documentation for mailing lists. Observation: The way you have setup your environment, eg. Windows with ZERO routes (sent to this mailing list), indicates that you have some familiarity with Windows but ZERO familiarity with OpenVPN. Your continued use of this mailing list as an alternative to reading any documentation has not gone unnoticed. Ciao, -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk9Ki5CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABmeQgApnTmjwgCeLuDd4mpoeMdTVKi3rFhRaY1PgfmhK6Xb+oLPEP/ 2OTyFulek7O7SluViP/pFf2fNFTgYdLkhuyEF/Nxxr9FL54OmQyPETlHiwhA LbYRs1zbbwPuDnOQDudxgPuJu3B8dlwa8vl+FGanvFbwX/eJNuiWbrZCG9y4 yzJT7wjy3ZZP/VeOHvM9s/oRDGrY1RN0WuiPupiQM0Rnr8WJrW1UfdhNgkXi 7cPhqbHpRUQf5wo0/Uc++GacOM10NyZxxgUQybQanJtaRbPC6J3NUc/lUVrr VFSMf45KopTxkuTYTUzw4h7AtRuPdHfA0dIthKhsfG2tqPuGmhR2Pw== =7dJt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not only but also, This HOWTO is very useful: https://community.openvpn.net/openvpn/wiki/HOWTO YMMV -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk9GxPCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACK4wf/faLlVNOE3Ae80h1eNKpwUVVDl5D7eVNADvZqR49Ejv2MFF+F pFffNJnLRiFlRBwtBClamycMp5j7TJB5P2A3TNmL50LZrD02NtsFBmXBZgOu HDZdIOq7Rs1Dq59BEgb20NnoFu6G98BrKTAgrPahaL3F68CfiYaeD57UV0wE rF5I6h+D/qas2dSj6/V6u/nDqxWEJi2zjIRmzyEY7bdA8IYzGiXQ1cAt24xp Bh4iRG4I1l4sy2/88N3Ycp4LucCHIpSd9eQUrjUjeAuhtpvEixk/gZrtgXFS cijCnxq8GHFmm51IMUC/f4ege6Ph4xgZ1jK0EJr1+EoJCYdLm36PXg== =2+XC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-RSA minimal how-to
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To follow up, a very brief introduction to Easy-RSA. Download the latest Easy-RSA: https://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.5 Unpack that to a suitable folder in your HOME folder. Change directory to the new folder. Create your first PKI: $ ./easyrsa init-pki Create your CA: $ ./easyrsa --nopass build-ca Create your server certificate: $ ./easyrsa --nopass build-server-full server1 Create your client certificate: $ ./easyrsa --nopass build-client-full client1 Note: These certificates will not be password protected but you don't need password protection at this stage of your learning curve. Create a TLS key with Openvpn: $ openvpn --genkey tls-crypt tls-crypt.key That is all there is to generating a working PKI. This will also create Inline files in the PKI folder, under 'pki/inline' - These inline files are suitable for use in your server and client config files by copy and pasting them as-is into the config files. To add the TLS key, you can copy and paste it as inline but this is not automatically done by Easy-RSA, you must do that yourself. To use TLS keys inline, use the inline tag like so: * Paste the tls-crypt.key file here * (This does not require the --key-direction parameter) Assuming that you do that correctly, your config files are now ready to use, after you add the other Openvpn directives. eg: --server or --client etc. If that looks too difficult then try a script, such as: https://github.com/pivpn/pivpn Good luck, tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk3QSlCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACS8Qf/bQcyzV9hH2gPY4l+sIMVHCkXalLYY2MnGMY0ONYci7qt+znD cX/x0G/2jbEjz7/sUNM19g7BnH+xfsJ3pD+WHLBkYQFYKBO9wrlikek05OJZ 8QlxpzUMqDr4EzGeDkIOAik0TWdG/RjQRXEcOqZjGUgcndba0K/af0XKkyp2 BQLg5XzYKx9FZgILu2FTjkFKOfVV24kLciLGKNgmSE7EozP0eBZPh2YS0hP+ onw7IYvNeMrHFIgT4E/alkO544BFPwRnhdSkWI6U46LDS3D92VpbVxo/cwzg fwSSL42l+aqG7TicFWVNXkftxmLBdEKVKySzQkrcGuI/rzKzTa22cQ== =tAAy -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Wednesday, August 16th, 2023 at 15:55, Jochen Bern wrote: > However, if you worked along that how-to, your CA certificate is > indeed using the CN of "server" (not "Server", but that might be a > liberty that MS took). Exactly the same as the server cert. X-C > > > Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server Thank you Jochen, indeed, that is an unfortunate possibility.. @Jason - When you create your CA certificate, simply use the default Easy-RSA, for the time being. Creating and customising a new PKI can be done later, once you get your VPN working. Good luck, tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk3PYECZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAD7wf/baphGHzMkTzQLihrwUGqv7I16h40ghZEAPYpiom7dzE00L5k jq82St5Yl/IIyYpFqCkMJ7mo7zJBqF5OuXFUvXZJwXVMXg0/npxTO3kBSUkY ppRAMh4rBohhSCGt2s2j5Czbv7iVl5LZOPLhTDWKnSjuquuF9srNgdL9nnx+ 2chg3pf+mByXwDiuRyNXp4PaWJc7JCk96aw/zudvJGTIUj3SbcN3qZdC+/KS Ly9lx4pURvlV7vB330XemytgXc+FU7y0Q9zFpLYRO9s8TqAwlXSwmOMknuh6 8WIgS9qcbuIM3jwb+d9krU8HIvSHlMg50Lx5M7IlaMVUdXGh6fbswg== =yypt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Edited for brevity: --- Original Message --- > On 16.08.23 12:23, Jason Long via Openvpn-users wrote: > > I opened the ca.crt file on the client and clicked on the Details tab > > and it showed me "CN = Server". So, I must change the "Test-PC" to > > "Server". Am I right? > No. Given your apparent level of skill, I find it impossible to believe that you have created a certificate with CN of Server, with a file name of ca.crt -- And if you have done then you should start PKI from scratch. Good luck, tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk3LhYCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABtAwf9EyrX8YT9+tWiwrBuYBppie2Ikhj4gGI0e1hyXaO3+DUGLSc0 wDToApgo8v0J2jg4Bry5VEG0W4777/KY0Z7PwIpqDY9w2VGBjjauMR93fcFj roKO/5MeVOfD9SLryXQ8qDL3ZUj29/isHZpCnmiHKtLsjM0mv6qgHbvT0lyC Kw6DkKWPN5DzEvlN5fH7DdhbqTnQpwb4vScSzy7/cNDZ+TumrDV50EHVFDV0 B+RrxqUYwxEz/5ni6k5NEKHl3jiLEOyNTT3sReWDJy1nFyC4Ziuh9Ny4LaaO fYm2P66Gy+M1T2HCvtP6IHYgkoNpDz3m21S0SajT3LzftTKczhP4hg== =GsEC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 15:02, Gert Doering wrote: > Hi, > > On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > > > I did a tcpdump: > > > > # tcpdump --interface any udp port 2000 -n -v > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > > size 262144 bytes > > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto > > UDP (17), length 82) > > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 > > > Client is sending to ip A. > > > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > > UDP (17), length 94) > > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 > > > ... and server is replying from IP B. > > Not sure how you ended there, but if you want the server on 10.10.0.1, > then the client needs to connect to that IP. > > (I said it before: if a machine has multiple IP addresses and you use > UDP, you must use --multihome on the server) Thank you for that insightful observation Gert. However, this behavior does not correlate with Jason's claim that "Without --ccd-exclusive the client *can* connect". As I told Jason before, start with a simple server, that does not have multiple NICs. Regards tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08 Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw== =rstW -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 10:57, Jason Long wrote: > Hello, > My OpenVPN server internal network IP is "192.168.1.20" and the IP address of > client is "192.168.1.21". Both VMs can ping each other. > > According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the > following stpes: > > # mkdir /etc/openvpn/ccd > # nano /etc/openvpn/server.conf > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > Then: > > # touch /etc/openvpn/ccd/Test-PC > # nano /etc/openvpn/ccd/Test-PC > > iroute 192.168.1.0 255.255.255.0 > > > After it, I started the OpenVPN service and it worked. On client, when I want > to connect to my OpenVPN server, then it showed me: > > Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur > within 60 seconds (check your network connectivity) > Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed > > > I take a look at > "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/; > too. > > When I removed the following lines from my server.conf, then my client can > connect to the server: > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > > How can I solve it? As I have already explained: If your client can only connect when you remove 'ccd-exclusive' from your server config, this means that there is not a CCD file for the client that is trying to connect. > I changed protocol from UDP to TCP, but problem was not solved. If you were a pilot, I would go by train. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz 0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7 5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg 9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw== =GYK8 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 22:11, Jason Long wrote: > On Mon, Aug 14, 2023 at 11:47 PM, tincantech > > > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > > > --- Original Message --- > > On Monday, August 14th, 2023 at 20:49, Jason Long > > wrote: > > > > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech > > > > > > > wrote: > > > > > > > > > > Hello, > > > > Thank you so much for your help. > > > > I take a loot at > > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only > > > > explained the capabilities of this option and did not provide any > > > > examples. > > > > I did: > > > > # mkdir /etc/openvpn/clients > > > > # touch /etc/openvpn/clients/Client-1 > > > > Then, in server.conf: > > > > client-config-dir clients > > > > ccd-exclusive > > > > But, Windows client can't connect to the OpenVPN server and my > > > > connection restarted. Do I need to add something to the client > > > > configuration file? > > > > No. > > > > You have NEVER managed to have a client connect to your server. > > Therefore, your question regarding this problem >is irrelevant. > > > > > > Hi, > > Not really, You wrong. I tested various scenarios and learned a lot from > > you and others. Now I want to learn this scenario, but unfortunately I > > could not find an article that teaches from the beginning. I would be > > grateful if you could tell me where the problem is. There are many reasons which could explain your problem: * You may be using a server with multiple NICs, which is configured incorrectly. * You may have configured your network routing incorrectly. 8 You may have configured --ccd-exclusive incorrectly. * You may have some other unknown problem. Regarding the issue above, if you want to verify that --ccd-exclusive is working correctly then simply remove 'ccd-exclusive' from your server config, restart your server and try to connect again. If your client can now connect then --ccd-exclusive was successfully rejecting your client because there was no CCD file for that client. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+ SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0 5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A== =lOa7 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Monday, August 14th, 2023 at 20:49, Jason Long wrote: > On Mon, Aug 14, 2023 at 5:16 PM, tincantech > > > wrote: > > > > Hello, > > Thank you so much for your help. > > I take a loot at > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only > > explained the capabilities of this option and did not provide any examples. > > I did: > > # mkdir /etc/openvpn/clients > > # touch /etc/openvpn/clients/Client-1 > > Then, in server.conf: > > client-config-dir clients > > ccd-exclusive > > But, Windows client can't connect to the OpenVPN server and my connection > > restarted. Do I need to add something to the client configuration file? No. You have NEVER managed to have a client connect to your server. Therefore, your question regarding this problem is irrelevant. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm 19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr /la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR 25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA== =P8jt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users wrote: > Hello, > To increase the security of OpenVPN, I want to use the ccd-exclusive. --ccd-exclusive does not "increase the security of OpenVPN". What it does it to provide a server with a convenient way to temporarily, disable certain clients by client commonName. This convenience means that the client certificate does not need to be revoked. And the client can have access to the server restored simply by (re-)creating a CCD file. --ccd-exclusive means that the server will ONLY allow clients access if they have a CCD file in the folder configured by --client-connect-dir. > I googled it, but I could not find a good example. I just found the following > question: > > https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn I strongly recommend that your search starts with the Openvpn manual: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html EVERY option is described in the manual. > But, I really don't know what to do. > I must create a directory under the "/etc/openvpn", then create a file with > the name of clients in it? For example, if my Windows client host name is > "Client-1", then: > > # mkdir /etc/openvpn/clients > # touch /etc/openvpn/clients/Client-1 > > Then, in server.conf: > > client-config-dir clients > ccd-exclusive > > Am I right? Yes. However, I strongly recommend that you learn the difference between "absolute paths" verses "relative paths". (Out of scope for this mailing list) > How about the client configuration? Do I need to add anything? No. Do exactly as the manual (above) describes. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL 9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC 9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA== =Hwqp -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 11:51, Jason Long wrote: > Hi, > > On Mon, Aug 14, 2023 at 10:13:48AM +, Jason Long wrote: > > If someone really has such an environment, then what is the solution? This question is not related to Openvpn. You must learn some basic networking knowledge via other means. A book or online class, perhaps. For now, I recommend that you DO NOT use a server with multiple NICs. See if you can get a simple server to work first. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2iXFCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACh7QgAicmNdV9n/Cp8l2JaZ4GP8wIbUCaGLaU8YJGzNbcH1+FNmW+k dcKk48WoTvfX8PxGQ4rDntykUtkEt+XlzABJsSUSNfEd67VN5x2yP6ucmBFr cLL4Muv2+EWvoWy3O5tpjWyaBz2xgBYAcgBJsbtXqXX75x2ik/ZfmYpzRk6P 1/fuJDB4JoI1o9cj/+45pFp2HjXvGM/yw9HPmVL5Y541RW81YGCKZG7yiHTL nF8dCMZltHYrQxP+jv6cIU66iU3YfoMstNqquzeiExNYS3pKnPIlqocMnMIC PYDf9gXX6QXi2AlieQtxNnH8heWU9uz1rCMWML1cH1dllRSCkar+lg== =nhWv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 09:23, Jason Long via Openvpn-users wrote: > > Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) > (fd=ec,code=10054) > > > > Which option is wrong? > This means that the client packets, sent to the server, are delivered to a server which is not listening on the IP:Port combination configured in the client --remote. Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2fuICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADWhQf+MlP+lIYT41EtOYYpzFPC1yfOIzZUknvup2lEGk9ajggeUgkP peQFYVsBCvw3Yj16Vsx2RXStIuGcxAqwoNF7qsujUy941jQ5zeBfEnux+Yia DbMVU6xOTdpNjic1t9ef2YSe6hMKys9XvqXBQfm7P7siREolgzDmdHssmPKv hQQsJCK9Cvm5zCvlmxQsGwe66Zt6YPX/OTxLDNDUZxhdZzU3OGLsRPblFK0M R3uZO+7F+/xiqulUsoh3rPuTE+9y47eRJlZg7l/kySpVFLKilxETAY8uV5l2 vrXR/bZgiC1765qaW5LHuP3DxJaAPrqfpRXyFIyFcjxpuVXsFTNrNQ== =mfKm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Cannot pre-load keyfile (ta.key)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Saturday, August 12th, 2023 at 14:52, Jason Long wrote: > Hi, > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Saturday, August 12th, 2023 at 07:39, Jason Long via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > Hello, > > I added "tls-crypt ta.key 0" and "data-cipher AES-256-GCM" to my > > Server.conf and "tls-crypt ta.key 1" and "data-cipher AES-256-GCM" to my > > Client.conf. > > > > Client.ovpn is: > > > > > > > > > # > > # 2048 bit OpenVPN static key > > # > > -BEGIN OpenVPN Static key V1- > > ... > > -END OpenVPN Static key V1- > > > > > > But I got the following errors: > > Cannot pre-load keyfile (ta.key) > > Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC > > as fallback when cipher negotiation failed in this case. If you need this > > fallback please add '--data-ciphers-fallback BF-CBC' to your configuration > > and/or add BF-CBC to --data-ciphers. > > > > Why? Is this because my key is not a separate file? > > > Yes. > > > > Hello, > Thank you so much for your reply. > Is there no trick? Yes, there is no trick. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk16MgCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACx4gf/Vo1PMEW9777BHFGTmIBmMGyj5XFhExmI7pP/2itVY/9cusjw zvy9OOiiO7GVPW2B2rfJgsqOFSdQQhlOnCsHAuiOv2P8nY+BZhIU4uoQEVDv RNi0t0cnMyznDwAUQBeAbuG2z6nTekWTbTrAEEAEOebfYoLSv1QGtrqjIPoN uJ3ed2sTO58Cxjc2rc5gPxh7MrgCXT5spayfpryzSbZQ6msz3y09EehlzywP nReJFY/ky38dy2g3hG6J5NB/mcbTt11pIyogeNrS/NvosKm4mW8LZ/tcINI2 lcJTM23BCUcx3a7X8hTzIlN42BCGnl4tKJp2u8TUZlgFRCJ6bLq1Yg== =jCxj -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Cannot pre-load keyfile (ta.key)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Saturday, August 12th, 2023 at 07:39, Jason Long via Openvpn-users wrote: > Hello, > I added "tls-crypt ta.key 0" and "data-cipher AES-256-GCM" to my Server.conf > and "tls-crypt ta.key 1" and "data-cipher AES-256-GCM" to my Client.conf. > > Client.ovpn is: > > > > # > # 2048 bit OpenVPN static key > # > -BEGIN OpenVPN Static key V1- > ... > -END OpenVPN Static key V1- > > > > > But I got the following errors: > Cannot pre-load keyfile (ta.key) > Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as > fallback when cipher negotiation failed in this case. If you need this > fallback please add '--data-ciphers-fallback BF-CBC' to your configuration > and/or add BF-CBC to --data-ciphers. > > > Why? Is this because my key is not a separate file? Yes. > > Thank you. > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk12KpCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAApRQgAoSe71fAyx6GCDqK0le1bwVipCxCQ/W92kSPs2qRL67g1ziZc /uD97N+yjCaqUQS5648dQpC2jzL82utNvxlxEf1da6c4+XIk5SBO5kFv3Lgj 8KMDeso+PQGA2s29OY6cJDVytdAEZ/JCxuFPFUOXsTWsYkODKncv0LxptI2K T0vsaiqVEs72HmPVak3sntl1fQfIdquC/zegjsSI+xoPgpFad4yQqADsrMEG lS7eiovuDIX2QvLfd/15OCLcu5aNsBYa8MGhqcQzRuQN7zWz7IZOt1kTsk6A 5jW+9qvg+nOPcSoUJGwUnSEpNZ6hBH4KaZwMRjfbaZEQXUUKfua7Ug== =bWkl -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about "Local" option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Jason, Can you identify the error(s) present in this routing table ? ip rdefault via 10.1.101.1 dev enp5s0 default via 10.2.110.0 dev enp7s0 10.1.101.0/24 dev enp5s0 proto kernel scope link src 10.1.101.101 10.2.110.0/24 dev enp7s0 proto kernel scope link src 10.2.110.255 10.56.101.0/24 via 10.56.101.102 dev tunc56007 10.56.101.102 dev tunc56007 proto kernel scope link src 10.56.101.101 10.66.97.86 via 10.56.101.102 dev tunc56007 10.126.66.0/24 dev tuns12666 proto kernel scope link src 10.126.66.101 192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1 As a pointer; What ever errors exist here are only related to multiple network interfaces, there are no openvpn errors present. This question is open to all subscribers. Sent with Proton Mail secure email. --- Original Message --- On Sunday, August 6th, 2023 at 21:41, Jason Long via Openvpn-users wrote: > Hello,Any idea? > I would be grateful if someone could guide me. > > Cheers. > > > > On Wed, Aug 2, 2023 at 11:17 PM, Jason Long via Openvpn-users > > wrote: > > Hello, > > To use OpenVPN with a NIC that has multiple IP addresses set on it, I need > > to use the following statement in the server configuration file: > > > > Local "Virtual IP" > > > > But, when I use the following firewall rules and specify the virtual NIC, > > OpenVPN network card and IP range, is there still a need for Local "Virtual > > IP"? > > > > # IF_MAIN=eth0:X > > # IF_TUNNEL=tunX > > # YOUR_OPENVPN_SUBNET=IP/16 > > # iptables -I INPUT -p udp --dport PORT -j ACCEPT > > # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state > > ESTABLISHED,RELATED -j ACCEPT > > # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT > > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j > > MASQUERADE > > # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to > > OpenVPN_NIC_IP > > > > > > > > Thank you. > > > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk0A7fCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACUWAf+M94NpONEDcrekFWIApw5yHvn6g9npDU3Z0MmizCbv/c3LGgP kJmi25ELoB+h/JuA/7Jt+0WCu+usBW35LTbDyjwmfavW20r3KppgXrzKbvb6 R9oKLEYDlx2/0hbFrJ4wObn2ZMwQgMEARlSNKn/IxztCm9jnwMxj+mDaDCkG vFRyYy++XgerzqLTMazGw4EDFEsmyq1aUNyIxQ5bVpAXl+SN9uxj55XmpPM2 nWVfv8H2k7nscD1Ej8Q0W0ZIO7qNaf6rMRfCBhgXOMOLjCY9pajveSU055MS ZlXGcWW8HD1Qs+DxJWZCDbBNF0xE2q9PoFcZLY9LivlUsd/U87jdpA== =OL2e -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to determine the correct MTU/fragment value in OpenVPN 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 --- Original Message --- On Friday, July 28th, 2023 at 16:42, Niccolò Belli wrote: > Il 2023-07-29 18:13 tincantech ha scritto: > > > My analysis of your test data, reduces to the following comment: > > > > Personally, I do not consider Google to be a valid target to test > > against. > > > > I used Google as an example, but the MTU I've found is correct and I can > confirm it with any other address, including my server's public IP. In future, the only valid target is your server (or client). I am not interested in comparing your various network paths. Establish a well known MTU on a well known path, first. > > However, considering the data you have posted, I think OpenVPN > > has documented the most simple solution. > > > > The example given is to use these options: > > > > --tun-mtu 1500 --fragment 1300 --mssfix > > > > If you are confident that you have established the genuine PMTU > > between your client and server then adjust the --tun-mtu value > > as you see fit. Then, starting with the --fragment value given, > > adjust --fragment until you establish the likely maximum. > > > What's fragment's max parameter (1300 in your example) supposed to mean? > If it's the payload size after which openvpn starts to internally > fragment packets shouldn't I just set "--fragment mtu" where > is the lowest MTU between the client and the server? Considering your command of English, this is documented: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html See: --fragment, --mssfix and --tun-mtu Regards -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkxU8OCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABX0Af/eo6M+D1v18WxvIbE3/ZaRNCtRN11yw6hsocP9j7bZXcINYFW fVdSCYOPm8lb9tDGVTMGKQHUqh8m1jWWMyubGD/aBjBkxUuum4IsRTlaJMdo j1TdBvuV1yCamIeA7EgfK1Y/7O1THwauvlO6PgSE7/aEIxgRLPmaVJgQ/nMA lB6Rx89v3a1DIEWwt9GMPVP3Q3evmi8oxzC1IEVxFAgvBo2LI/WV9KbnhO9D jR6tUQvRyLWzf7PTu6e+g0MQZt41xNUsMzWw75zIbwXjxjoFM6T0TJ6MscPI 7Y3QkJSaQhQRxycjO/AKWzalIxH3ZdPk1RQDVoLNqcQ2uVgI9GHk4w== =2tag -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to determine the correct MTU/fragment value in OpenVPN 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 --- Original Message --- On Friday, July 28th, 2023 at 14:52, Niccolò Belli wrote: > Il 2023-07-24 13:23 tincantech ha scritto: > > > If your PMTU is changing "on a daily basis" then you should probably > > report > > that as a fault to your Internet Service Provider(s). > > > Forgot what I've written before: I've did many more tests and apparently > my connection(s)' MTU is not changing but something else is going on > with openvpn. My analysis of your test data, reduces to the following comment: Personally, I do not consider Google to be a valid target to test against. root@home ~ # ping -M do -s 1252 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1252(1280) bytes of data. ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3003ms root@home ~ # ping -M do -s 1252 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 1252(1280) bytes of data. 1260 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=13.5 ms 1260 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=13.1 ms ^C --- 1.1.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 13.142/13.312/13.482/0.170 ms I'll leave that hanging ... The value of PMTU, or Path MTU, is really only valid between your source location and your destination location. Testing against a third party is less valid, as seen above. However, considering the data you have posted, I think OpenVPN has documented the most simple solution. The example given is to use these options: --tun-mtu 1500 --fragment 1300 --mssfix If you are confident that you have established the genuine PMTU between your client and server then adjust the --tun-mtu value as you see fit. Then, starting with the --fragment value given, adjust --fragment until you establish the likely maximum. With regard to your multi-path tests, it's complicated and above my pay grade.. Regards -- > > From the server: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 16.806 ms F=1492 16.665 ms 16.546 ms > 2 16.304 ms 16.381 ms 16.289 ms > 3 16.488 ms 16.550 ms 16.091 ms > 4 17.593 ms 16.074 ms 16.125 ms > 5 17.159 ms 74.125.245.241 (74.125.245.241) 17.205 ms 17.850 ms > 6 16.904 ms 142.250.211.23 (142.250.211.23) 16.462 ms > 142.251.235.175 (142.251.235.175) 16.407 ms > 7 dns.google (8.8.8.8) 16.685 ms 16.334 ms 16.434 ms > > The server has an MTU of 1492 and I can confirm it with the following: > ping -M do -s 1464 -c 1 8.8.8.8 //OK > 1464 + 28 (20 bytes for the IPv4 header and 8 bytes for the ICMP header) > = 1492 > > My primary Tiscali connection which I use for the client has an MTU of > 1460: > ping -M do -s 1432 -c 1 8.8.8.8 //OK > (1432+28=1460) > > If I connect with the Tiscali client and try to ping over the tunnel I > get to an MTU of 1394 for the tunnel: > ping -M do -s 1366 -c 1 192.168.2.1 //OK > (1366+28=1394) > > So I guess that the encryption overhead accounts for 66 bytes > (1460-1394=66). > > The Tiscali connection (which is a 200Mps/20Mbps FTTC) is weird in my > opinion, because the PPPoE header should be 8 bytes and that should > translate to a 1492 MTU, not 1460. > Also apparently a traceroute --mtu suggests 1492 as well, but there are > only asterisks which is even weirder: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 _gateway (192.168.1.1) 1.219 ms F=1500 0.876 ms 0.986 ms > 2 * F=1492 * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 * * * > 8 * * * > 9 * * * > 10 * * * > 11 * * * > 12 * * * > 13 * * * > 14 * * * > 15 * * * > 16 * * * > 17 * * * > 18 * * * > 19 * * * > 20 * * * > [...] > > So I decided to try connecting to my openvpn server from an Iliad > hotspot, which under normal circumstances has an MTU of 1420: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 _gateway (192.168.61.7) 2.465 ms F=1500 2.290 ms 2.329 ms > 2 * F=1420 * * > 3 * 192.168.3.14 (192.168.3.14) 87.831 ms 56.965 ms > 4 192.168.255.3 (192.168.255.3) 55.863 ms 55.182 ms 54.250 ms > 5 66.312 ms 64.891 ms 63.330 ms > 6 54.089 ms 51.763 ms * > 7 64.521 ms 71.594 ms 59.795 ms > 8 54.797 ms 71.373 ms 69.394 ms > 9 * * * > 10 dns.google (8.8.8.8) 68.258 ms 69.061 ms 142.250.211.30 > (142.250.211.30) 64.794 ms > > ping -M do -s 1392 -c 1 8.8.8.8 //OK > (1392+28=1420) > > Traceroute seems to work via the Iliad connection. > > Which payload size would you expect me to be able to ping over the > openvpn tunnel? > > If you guessed 1392-66=1326 you would be wrong. I can get up to the full > 1500 MTU: > ping -M do -s 1472 -c 1 192.168.2.1 //OK > (1472+28=1500) > > This is WITHOUT fragment being set. In fact I use the very config I > previously used with the Tiscali connection on the same laptop. > > I've double checked switching between Tiscali and Iliad multiple times. > > What's happening? Is fragment being silently enabled? Why only on the >
Re: [Openvpn-users] Multiple OpenVPN server on one NIC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 --- Original Message --- On Monday, July 24th, 2023 at 13:39, Jason Long wrote: > Hello, > What is top-posting? > I just click on "Reply all". Please send your replies to the mailing list, unless otherwise instructed. Try google: "What is top posting?" However, it was Bo Berglund who asked to "Stop top posting". Regards. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkvnSICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACo0wgAwW8qvS9DA9c3TtohyBNST7DlFZQqU45YumVXpgoz02rg1kj8 FY0iymRwbr6k2oZPDKZKuTTShK834xAmiysk7r8AlXLFGnqPJRj1AgrGcGT3 U7DwbFpu1x590PuZSK/rOPgDF4en+wtVCrwKWfnlyjK1hzDTBfbNuHcnbiZZ zhxkQxqlZKGnbVez0FMGD5BAez4TGIJfmJpYAxNsJ+uYFLvP/YRTF+YhQkhk Kel6/vOIiUvMEgyGUVP4CBLFC16HbO4Y4CmdZBQJdrXRy3wZTXaMFZpX0Plz Kvjtzp0bfinSAT9SpZGkFg2Cye7RhvM54oKNK622RkKwM+OghFtlCA== =xT0w -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Multiple OpenVPN server on one NIC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Was it not yourself that asked people to stop top-posting ? Regardless, It behooves you to read the documentation for the tools you use. The EasyRSA 'nopass' option, obviously, creates private keys without password encryption. If you encrypt your private keys with a password then you must enter that password to use the keys in openvpn. You would add to your config files 'askpass'. Regards. Sent with Proton Mail secure email. --- Original Message --- On Monday, July 24th, 2023 at 12:57, Jason Long wrote: > Hello, > Thank you so much for your reply. > > In these command, why "nopass" ? > > # ./easyrsa build-ca nopass > > # ./easyrsa gen-req server nopass > > # ./easyrsa gen-req client nopass > > > If I entered a password, then where is this password used? > > > > > > On Monday, July 24, 2023 at 02:46:18 PM GMT+3:30, tincantech via > Openvpn-users openvpn-users@lists.sourceforge.net wrote: > > > > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > --- Original Message --- > On Monday, July 24th, 2023 at 11:42, Jason Long via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > Hello, > > Thank you so much for your reply. > > Your answer raised another question in my mind. Can I use the same > > "ca.crt", "server.crt", "server.key" and "dh.pem" files for other servers? > > Or do I need to create one for each new server? > > > > The tutorial that I used to create the crypto files use the following > > command: > > > > # ./easyrsa build-ca nopass > > > > # ./easyrsa gen-req server nopass > > > > # ./easyrsa gen-req client nopass > > > You forgot the signing stage: easyrsa sign-req server server > etc.. > > > > I want when the client wants to connect to my OpenVPN server, enter the > > Username and Password. What changes should I make? > > > > To the client config add: auth-user-pass, which will prompt the client for > user/pass. > > To the server config add: auth-user-pass-verify > > > Consult the manual for full details of this directive. > There is also some help in the Howto: > https://community.openvpn.net/openvpn/wiki/HOWTO#Usingalternativeauthenticationmethods > > Regards. > -BEGIN PGP SIGNATURE- > Version: ProtonMail > > wsBzBAEBCAAnBYJkvlznCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr > kLidAAADEggAoVZcVxtGDiPT9xMpnBMe7gVZx8gFAMVPDjQ1lU0Nr+W+w1qP > 5FqRlA7DAKvKcGsaxY12FMEoWY+WahaBmGmMv90pivlSMne8Kpqi4mrD9SnV > yrevVjyS7aJIKU5Kha1GZ1P8kQ4f0yHJDObJ1MT26kYNTIgYD7vvmi+Hd6wx > AMAGOMv2feK4RIki0IC4hm0vQlXQ/x75sMZmSYyTtP7JjLvw84EPFlDHyOe8 > yk7VN+te7hR5LrnqDT23Pxjk7H89gfxU9Hqdd/OZWyIX7WeNb/0yQGP8osPs > UZfUeCOMdL8zZCgg40n9iueKcEvhcpviU96o3qcM7cl7xjtgIFXrWA== > =GlCN > -END PGP SIGNATURE- > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkvmmRCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA1Fwf/QB3kRXXDpt7gIQA/xt43QNBNaMIYAbIU5gt3VH5Kbbnu+tZh gSQ2Ybn9UeXcikKPKa72lsCZC3VvhYq3yrz1qt1DTSUSeumQ6DNhZKlfBwxV dZFVrZ8B5VPFybyCUvKTLFtbml0+sd+1rps6RbsSlCrnOfMLMuZyj3+V1EJ7 JG/QskrSxCxsLAf16t1IYK/CUwQTiPqgmDOfHH4grVuW9+PMxXb6bJov+90G L2/G5Swoqw+303gTqiU+0IvplEOfrqVLNCdSC3uGdstVg8ZbwaxNYUtyhzWm ByXgh0ixbok5+H79wZdU2o2+jjEc5KdL+NNf82QYzOd340lfMQ1WEQ== =9dzV -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to determine the correct MTU/fragment value in OpenVPN 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, This seems to have been forgotten. --- Original Message --- On Thursday, July 20th, 2023 at 11:24, Niccolò Belli wrote: > I'm using Debian 12 Bookworm with OpenVPN 2.6.3 on the server and Arch > Linux with OpenVPN 2.6.5 [git:makepkg/cbc9e0ce412e7b42+] on the client. > I really don't understand what value I should put in fragment and the > fact that things change a on day per day basis with apparently no reason > makes everything even more difficult to understand. If your PMTU is changing "on a daily basis" then you should probably report that as a fault to your Internet Service Provider(s). The only possible way to configure OpenVPN to deal with such an unreliable network is to set options such as --link-mtu, --max-packet-size, --fragment and --mssfix to a value lower than the lowest expected PMTU. With such a low PMTU as you describe, it may not be possible to use OpenVPN at all, because TLS does not allow for packet fragmentation, to my knowledge. Regards. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkvl78CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADY+gf9Fuga73g3wqnMD8g8EVsDYx8sMbWMAl4hl9gkEFZmRvpfU3yM LpuT657wBJliYw4q46ao7nl0FM46IOvEDN3aDZ3qZbmq/oZ2mFspIDKHIo2g IXSUiSQWpDAltAuqMX1mZ/6sQnR+92OglAeGOXZWFrLmyc2ZWCkPQbiTEg4s Jo8KsM8DUAU3k3kLufVbv5O7Leyqr0y7lAsyKrQERGRc6dZLIpT9WllMPI1j x9ATPB5kNJpuMZGKU/EWwELcLEvgDphzNifcNHHIpvC53Xnb48lbpkMNpGPb dE+IyxjggyIzTHCwUjLAFsMZcmFSqDzISSGn8gwcY5FEG0jNREJa+w== =zrUX -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Multiple OpenVPN server on one NIC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Monday, July 24th, 2023 at 11:42, Jason Long via Openvpn-users wrote: > Hello, > Thank you so much for your reply. > Your answer raised another question in my mind. Can I use the same "ca.crt", > "server.crt", "server.key" and "dh.pem" files for other servers? Or do I need > to create one for each new server? > > The tutorial that I used to create the crypto files use the following command: > > # ./easyrsa build-ca nopass > > # ./easyrsa gen-req server nopass > > # ./easyrsa gen-req client nopass You forgot the signing stage: easyrsa sign-req server server etc.. > I want when the client wants to connect to my OpenVPN server, enter the > Username and Password. What changes should I make? To the client config add: auth-user-pass, which will prompt the client for user/pass. To the server config add: auth-user-pass-verify Consult the manual for full details of this directive. There is also some help in the Howto: https://community.openvpn.net/openvpn/wiki/HOWTO#Usingalternativeauthenticationmethods Regards. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkvlznCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAADEggAoVZcVxtGDiPT9xMpnBMe7gVZx8gFAMVPDjQ1lU0Nr+W+w1qP 5FqRlA7DAKvKcGsaxY12FMEoWY+WahaBmGmMv90pivlSMne8Kpqi4mrD9SnV yrevVjyS7aJIKU5Kha1GZ1P8kQ4f0yHJDObJ1MT26kYNTIgYD7vvmi+Hd6wx AMAGOMv2feK4RIki0IC4hm0vQlXQ/x75sMZmSYyTtP7JjLvw84EPFlDHyOe8 yk7VN+te7hR5LrnqDT23Pxjk7H89gfxU9Hqdd/OZWyIX7WeNb/0yQGP8osPs UZfUeCOMdL8zZCgg40n9iueKcEvhcpviU96o3qcM7cl7xjtgIFXrWA== =GlCN -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, please disregard my previous message. The CRL is clearly not checked against the CA to verify it. I also tested your CRL against my own server and it loads fine. Relevant log entries: Loading: date/time: CRL: loaded 1 CRLs from file /home/tct/Downloads/crl.pem Using: date/time: VERIFY WARNING: depth=0, unable to get certificate CRL: It works otherwise. OpenSSL 1.1.1f openvpn 2.7_git BR Sent with Proton Mail secure email. --- Original Message --- On Saturday, June 17th, 2023 at 14:01, tincantech via Openvpn-users wrote: > Hi, > > this is a wild stab in the dark .. but > > perhaps the CRL is associated with a different CA to the --ca loaded by the > server ? > > BR > > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Saturday, June 17th, 2023 at 13:37, Ralf Hildebrandt via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > > This is from the working connection - so it's "just log noise", it seems, > > > not causing an actual session abort. > > > > Good! > > > > > My gut feeling is that there is some garbage at the end of the CRL file, > > > so OpenSSL is able to read "loaded 1 CRLs" from the file, and then there > > > is > > > something more, which confuses OpenSSL - but not enough to reject the > > > session. > > > > Attached is the actual crl file in PEM format. > > > > -- > > Ralf Hildebrandt > > Charité - Universitätsmedizin Berlin > > Geschäftsbereich IT | Abteilung Netzwerk > > > > Campus Benjamin Franklin (CBF) > > Haus I | 1. OG | Raum 105 > > Hindenburgdamm 30 | D-12203 Berlin > > > > Tel. +49 30 450 570 155 > > ralf.hildebra...@charite.de > > https://www.charite.de > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkjboWCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACF2wf/eVil3YbZmsewZXIRrZ22/SytupLaFV5vMNafNnmDGUF96IfD siIigZARLCtnZ03eTNb80wxHiewjVdnWyWWPNHrpd7xvQCtZv1AKYDrG/Pz2 ZlFZcdX4c18OB5p1UxQZAk8fa+OeCssrUTr9mgqbhmJjrZV6GAXjVFAeZ76p 1TKakpL1TJ+hfQd3pqk9nr9oUXyPedLw0872NNvXvSgTmgdIPLCMhoDIMcqL BmudXluITKBccAq+Na1UBuSfDvW9j6x2ClINSGcAWhNTEa1Siwq/Q2qMyCv2 wcykZk4sHttNYYyQFKDD588i1aoQAo/IS4fLEGVV5KlG8x+jOIwmCQ== =gNuT -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, this is a wild stab in the dark .. but perhaps the CRL is associated with a different CA to the --ca loaded by the server ? BR Sent with Proton Mail secure email. --- Original Message --- On Saturday, June 17th, 2023 at 13:37, Ralf Hildebrandt via Openvpn-users wrote: > > This is from the working connection - so it's "just log noise", it seems, > > not causing an actual session abort. > > > Good! > > > My gut feeling is that there is some garbage at the end of the CRL file, > > so OpenSSL is able to read "loaded 1 CRLs" from the file, and then there is > > something more, which confuses OpenSSL - but not enough to reject the > > session. > > > Attached is the actual crl file in PEM format. > > -- > Ralf Hildebrandt > Charité - Universitätsmedizin Berlin > Geschäftsbereich IT | Abteilung Netzwerk > > Campus Benjamin Franklin (CBF) > Haus I | 1. OG | Raum 105 > Hindenburgdamm 30 | D-12203 Berlin > > Tel. +49 30 450 570 155 > ralf.hildebra...@charite.de > https://www.charite.de > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJkja6BCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADnzQf/RNWByhMO2UoaGfIf/Asw2Uukn/W3vnd/Pf4gd+dFHkReROkD K4/MxG/dMvffuK1vhreneBRpJP5hk3h7Xqq3LgthkkBIU+80/8CNSMTw3Dd8 6DxdvQB9CFhKoR2N4wH10qGjCEPTyq6rHMMiaxOvyMghcEk7YYdOXcybu0zm BSgf/P6m4cI9RfB9LrpttFhBa7o0ebyNR5uppWY60bGbQuAdcwMjo6/xOrSz yCPtzkG9Z5QFT4m/96okcLbe7mkkOFKYUA5zlwXAdLheRDDJFZTXRD1FXKT6 4GMawM/2jBeaxh8X/jnUL4tFAoFO9LJfR1QO0pF3g+JyGcL5UBrWDA== =g6/L -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easyrsa3 error when checking existing cert
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Wednesday, March 8th, 2023 at 20:07, Bo Berglund wrote: > This happens on an updated easyrsa3 installation (see other thread for > details). > > > (previously existing client) > $ easyrsa show-cert BrittisUbu > > Showing cert details for: 'BrittisUbu' > > This file is stored at: > * /home/bosse/openvpn/easyrsa3/pki/issued/BrittisUbu.crt > Certificate: > Data: > > > X509v3 Extended Key Usage: > TLS Web Client Authentication > X509v3 Key Usage: > Digital Signature > X509v3 Subject Alternative Name: > DNS:BrittisUbu > --- > > But when I try this I receive an error: > > $ easyrsa show-expire BrittisUbu > > * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars > > * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 > > > WARNING > === > Untrapped error detected! > > > Next when I try with a client created after the update (no password on this): > > $ easyrsa show-expire TestClientNP > > * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars > > * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 > > > And when I try with a new client with a password: > > $ easyrsa show-expire TestClientPW > > * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars > > * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 > > > WARNING > === > Untrapped error detected! > > > Using easyrsa show-cert ClientName does show the cert (see start of post) > > If I use this directly it correctly shows the expiration dates for all certs: > > openssl x509 -dates -noout -in $CERT > > (when $CERT is any of the above) > > (Must be executed inside the directory holding the crt files i.e. pki/issued) > > What have I missed now? > I thought it would show when the cert is due to expire, but maybe not? > Ok. For the use of show-expire there is a cut-off number of days. --days=90 If you set --days to exceed when the cert will expire, eg --days=7301, then it should list the expire date, at least it does for me. This is a legacy method, related to "valid renewal period", it can be improved. As for the "untrapped error", stumped, I will try some tests. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkCPKvCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADXSQgAyTBvZ4NY1gGfHrl8SjwNgBP3BMBl2FPKFNMfRn1DdH3w4qYS H6WLTH4djfmFfRbWV3DxwqZUMnI1AN5dKUwKK40RTJo1Uuy+qwlrlqwUKG3x TH/+rQRIoc/sHJ2+8Ex/u1bVnTHaDVNS6hlMRQFJLXlmf6cq2GEEwPrMVyib IZiYA88GVliS/eitsA28ctoahJrQNNUmBq/+9VLxeZ1iadPrBko0t7uKvdvs bFIviNAVjuW0naWb0LLhQeQUuo9zsG3gF2Enz7fJW52v5GXaLXEIhXCGcplP k+avtZHndExA26D5Gi6VMKRxmiGZd2RWunMzSzp9Aok5cIWK5jGfvQ== =TgfI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Also, Sent with Proton Mail secure email. --- Original Message --- On Wednesday, March 8th, 2023 at 16:35, tincantech via Openvpn-users wrote: > > > > > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Wednesday, March 8th, 2023 at 14:30, Bo Berglund bo.bergl...@gmail.com > wrote: > > > > > On Wed, 08 Mar 2023 01:45:40 +, tincantech via Openvpn-users > > openvpn-users@lists.sourceforge.net wrote: > > > > > Appears to be correct. > > > > So now I have finally attacked the existing easy-rsa dir by doing this: > > > > 1) Copied the whole dir to easyrsa3 and renamed the source dir to easyrsa2 > > > > 2) Removed some old script files I had written and are no longer useful. > > > > 3) Copied in the easyrsa3 files retrieved via svn as described earlier > > and then moved the easyrsa script to ~/bin/ so as to put it on path. > > > > 4) Failed to edit the vars file! <== ! see below > > > > 5) Ran the command: EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 easyrsa upgrade pki > > > > This failed luckily with these messages: > > > > cp: cannot stat '/home/bosse/openvpn/easy-rsa/keys/index.txt': No such file > > or > > directory > > > > and > > > > ERROR: Failed to copy /home/bosse/openvpn/easy-rsa/keys/index.txt to > > /home/bosse/openvpn/easyrsa3/pki > > > > Turns out that in the vars file was a directive: > > export EASY_RSA="/home/bosse/openvpn/easy-rsa" > > > > Which in this case after renaming easy-rsa to easyrsa2 was nowhere to be > > found. > > If this rename had not been the case then I guess easyrsa would have > > operated on > > the original v2 dir rather than the copy to be upgraded to v3. > > > > After I changed the export to the new dir the conversion went smoothly and > > clients with and without passwords created in the new dir could connect > > fine. > > > > So if a migration to version 3 is done on a copy of the version2 dir then it > > is important to edit the vars file in that dir to point it to the new dir. > > > > Using this instead would probably be better: > > > > export EASY_RSA="$PWD" > > > EasyRSA v3 does not use (and should not allow) 'export foo=bar'. > > There is a line in 'vars' which is: > #set_var EASYRSA "${0%/*}" > > and should remain that way, unless you know what you are doing. > > The script assigns EASYRSA internally, if this remains unset in 'vars'. > > How 'export' got into your 'vars' file, I cannot say. > EASY_RSA is not a variable in use by v3. Even so, v3 should now allow use of 'export', regardless of circumstances: https://github.com/OpenVPN/easy-rsa/issues/909 This is a change we made to your v2 vars file, I believe, to point to your copy keys file.. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkCMW7CRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACzAAf8DqFiZ9ZmzUA5yHWhE25OyGbBaC4xcKYkeFv/4XrXey8yOvjc Y9cNJ5fvCldw7EhbDDGUlbXTQKyWEwtZ4Lvel24R2gotcExxThhfN4Ub/Yd0 Kx4akcyoB+oZ46w8ds/zHIYIj1WG0hxIZcWKXAwE8UldL1mNnwSO4HMnldAp Jzd/O+hhYFtwavvtOhfBvhm33PGbYlxuMZ85MSCd4SwHVPedMHDaAOu1Z6ju NMkUSEaBpfTYa7a7uWlOQWbgE1wHBwuxREkSKen2QkF/qYvPGgDhtNXAxYDx +e0FMJrCdxl47oVxeEHAoxS6/3vEs+H0h/YDx/kGTTBOuiesnxzzsQ== =GtOc -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Wednesday, March 8th, 2023 at 14:30, Bo Berglund wrote: > On Wed, 08 Mar 2023 01:45:40 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > Appears to be correct. > > > So now I have finally attacked the existing easy-rsa dir by doing this: > > 1) Copied the whole dir to easyrsa3 and renamed the source dir to easyrsa2 > > 2) Removed some old script files I had written and are no longer useful. > > 3) Copied in the easyrsa3 files retrieved via svn as described earlier > and then moved the easyrsa script to ~/bin/ so as to put it on path. > > 4) Failed to edit the vars file! <== ! see below > > 5) Ran the command: EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 easyrsa upgrade pki > > This failed luckily with these messages: > > cp: cannot stat '/home/bosse/openvpn/easy-rsa/keys/index.txt': No such file or > directory > > and > > ERROR: Failed to copy /home/bosse/openvpn/easy-rsa/keys/index.txt to > /home/bosse/openvpn/easyrsa3/pki > > > Turns out that in the vars file was a directive: > export EASY_RSA="/home/bosse/openvpn/easy-rsa" > > Which in this case after renaming easy-rsa to easyrsa2 was nowhere to be > found. > If this rename had not been the case then I guess easyrsa would have operated > on > the original v2 dir rather than the copy to be upgraded to v3. > > After I changed the export to the new dir the conversion went smoothly and > clients with and without passwords created in the new dir could connect fine. > > So if a migration to version 3 is done on a copy of the version2 dir then it > is important to edit the vars file in that dir to point it to the new dir. > > Using this instead would probably be better: > > export EASY_RSA="$PWD" > EasyRSA v3 does not use (and should not allow) 'export foo=bar'. There is a line in 'vars' which is: #set_var EASYRSA"${0%/*}" and should remain that way, unless you know what you are doing. The script assigns EASYRSA internally, if this remains unset in 'vars'. How 'export' got into your 'vars' file, I cannot say. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkCLklCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAo9AgAxgkrcTQoGaXi7NhvfOD0AVqAIusDWBzgjxCWCIEaZTKWjhth HRcSeB9indemchEP7NpZ5TF4ckv77XXBSm0FoijDFwUVk+sVX3wfXSfH/7N6 5PuXVqc59j8o8RmMKieExM/4Nh2pa3/QMzLMxEkZsjYJCrJuNgfvwhcYjKM5 WAlz5kwQ9pTqfdlFoW7BCWtAlh5QuthOK253DVX4xRd+Abr8PyNKXvVK3XLv ncuIvcWbU0VauexyvEHohuTGg/dRiAmQWZVvbNqFHJF38rMX40SfXxZCt0bu p8ZjShQ9KlnOk86tCSds1fHVi8b6r0w99lr2H75iHGstmvvmQMwA1Q== =1OPH -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Wednesday, March 8th, 2023 at 00:24, Bo Berglund wrote: > On Tue, 07 Mar 2023 11:55:34 +0100, Bo Berglund bo.bergl...@gmail.com wrote: > > > I have now completed my conversion of the old script to ease building ovpn > > files > > for the clients. It handles both with and without password protection. > > > While documenting my procedure for the test upgrade on a copy of my real > system > I noticed when checking GitHub that the trunk version of easyrsa3/easyrsa has > been committed to on Upgrade-23 2 days ago. > > Does this include the modifications to easyrsa we have been discussing in > order > to get the upgrade working? Yes. The problems that you experienced exposed two bugs: 1. 'vars' file to CA details mismatch causes fatal error. Solved by downgrading error to warning. 2. Cannot create temp-files Because the default location does not exist yet, the new PKI. Reprioritised creating the new PKI. > > In that case I do not need to describe the edits needed but rather only note > the > download command I have used to get the latest version. > Which is: > > svn export https://github.com/OpenVPN/easy-rsa.git/trunk/easyrsa3 easyrsa3 > > It gave me these 11 files: > > A easyrsa3 > A easyrsa3/easyrsa > A easyrsa3/openssl-easyrsa.cnf > A easyrsa3/vars.example > A easyrsa3/x509-types > A easyrsa3/x509-types/COMMON > A easyrsa3/x509-types/ca > A easyrsa3/x509-types/client > A easyrsa3/x509-types/code-signing > A easyrsa3/x509-types/email > A easyrsa3/x509-types/kdc > A easyrsa3/x509-types/server > A easyrsa3/x509-types/serverClient > Appears to be correct. FYI, 'git' is really good too, you might give it a shot. Once again, thanks for your help .. to have come away from testing the upgrade so thoroughly, with only minor wounds, is remarkable :-) Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkB+itCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABDLAgAorP840pmAQoyixriqygdF7EDDUabt7ya/eGfYeg9B85qUenv te3QNXTX9WfjJ3d0Yp8SOI8u2Vra/o4ZswVAuwXGjrd+p4ZhE+z62xcmhA/S wJMPMjFu0gA2QbuldR321zIuHLUaUSq+Y96Q5OEt4sOrqDlBzFVZLHinRnJB gfjuKgj/h7386uKHVA1rr+PU1/+0JofAHxz2o3pSxns8/mo+HtCwuG7qYfwT qqZSKF3ZdSXsnjAAPnPR0XiGHvtjYChAeXKtWRKoWbjE706dfcd+UvwM/1sG 7eo5jjGgyrt9pw3u1WFhPNc0zaVoQZ0jm/he4+uyJ0iy/mWd6Eqn3A== =gUs0 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Tuesday, March 7th, 2023 at 10:55, Bo Berglund wrote: > > I have now completed my conversion of the old script to ease building ovpn > files > for the clients. It handles both with and without password protection. > > While doing so I saw that easyrsa3 does produce some files I don't know what > purpose they are for: > > Into dir pki/reqs the conversion moved the old *.csr files but new files > winding > up here are .req. > What are these used for? They (.csr and *.req) do not get into the OVPN files > and they are not mentioned in the OpenVPN server.conf files. > .csr means certificate signing request. .req means the same thing but is simply "request". For v3 they must be .req > > > In pki/inline/ there are a number of ClientName.inline files, what are these > used for? Are they the collection needed for the ovpn files? These are inline files, created automatically for convenience. If you are building your own inline files then you can ignore them. > > These files contain 3 of the sections I am putting into the ovpn files: > > > > This section contains more than the encypted cert which I use > > > > > This is the client.key itself > > > > > ... This is the ca.crt > > > > > But the ta.key file is not there, do I need to include the ta.key in my ovpn > files??? > It is now being put into a section at the end of the ovpn files... > > > Note: > In my OpenVPN server.conf files I have this directive: > > tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret > > It seems like such a file should not get into the ovpn files that are > distributed, right? > > Should that section be removed from the new ovpn files? > > You should know what an OpenVPN --tls-auth key is and why you need it. The reason Easy-RSA does not add that key to the inline files automatically is because it does not know of this file. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkB05CCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABsyQgAgXlqCBgNGkAiSRRKQ4/BWsFsdiwRRdYuwDae2szW6TSWId92 3o3OHTNLG76QEsuSs2W5FfR8W0Vx52r39xjZDtTIU98mButEFwu5wuQf11FN DAV6RR/9uxlNBFcEXMQ3gjhiK3XlykVsrQNZboSNVCOFAqB9UqTUyo7I65e6 nGx4w8wsUSm7ey3b+KnsuSVLsA1Pnj08aUvAtQX8tljcAvWCIak7oy3OV6iF PK3zpLcHUb2XwQpQXPu08Ef6TcuR7J5W8msS+WM5B82aQAtmuYRgI3zL5L6g 8wzbVLrkZttpfNKbjU3iP05ps0fHpK/8djJSVU2m0Xg/I0LT1PUZfQ== =oOZs -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Monday, March 6th, 2023 at 20:42, Bo Berglund wrote: > Question: > - > I will call easy-rsa from within my script and I want to enter the password > as a > variable in the script and pass it to easy-rsa when it is called to create the > client files. > How can I bypass the user input and write the password from my own script into > easy-rsa? > A command line argument would really be perfect! > Command line options for automated passwords are documented under 'help options'. Basic notes: - https://github.com/OpenVPN/easy-rsa/issues/838 EasyRSA uses --passin/--passout to pass values to OpenSSL -passin/-passout. Those values are dictated by OpenSSL expected syntax. See: - https://www.openssl.org/docs/man1.1.1/man1/openssl.html (The very last section on that page) Everybody wants automated passwords because moar security must be better.. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkBl1uCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAkbgf7ButJHJE2ZDFQrOKp4pQJmGdYDaIdVFDrTXTKYwZgmitYbK9b RcAljCwJwNuQ0a6sBzWRNHp8oBJjMr5gqsBbo/klVmWFMViscVk+bqwgUgaN hT/F81fO8praWbYDqAdmzDJAqAS36/HgntBVWitcqfdohV6SZvVAUW5YcABV LpGl6ggDJDplhCNC1jYd6iXDZK+7Ys6C/M47nbEvgW/St4oJVGu6SHVj+ZDf OR495WTGkT9PQNxwX77Ky0/GAWXCeb9hTD9LzsdCnuGlTnj6zUAOQezX563K foNGeWwicrbSvyHcptoA9qGOYXIjmBAQpoAB7HdEt9k+lzx9dRPubQ== =G++R -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Only private keys can be encrypted by openssl with a password. Certificates are basically public keys, therefore, password protecting them is completely pointless. EasyRSA does not offer any form of subsequent encryption. You can encrypt any file yourself using openssl. To determine if a private key is password protected, simply look at the HEADER line in the file, which will read as: -BEGIN ENCRYPTED PRIVATE KEY- or -BEGIN PRIVATE KEY- For help with OpenVPN, there are two (possibly more) passwords, of which, it is not clear which type you mean. There is a password to unlock an encrypted private key. This requires OpenVPN option --askpass, to query for the password. There are also login/connection passwords. All of which are configured by the server. These passwords require OpenVPN options such as --auth-user-pass in the client config, to query for a username and password. And others for tokens and OTP. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkBjfFCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADiYQf/f/Z+UhCAgO8rewCfPJr+kqGk+GUXKwrAhGZkWO09PngTk+X+ ZcvTMwpkd4iNG8lfUxE25+e5vs9hGx4QLDyLQBlhK13c941jVUr2+dh/iRGI yfXZIOLwb7Z4HL95o/QP7FG5Ea/hyQ1mrjHNG9ohzO/pdIU+aAEEzQ672AnH 5v2yn6Shnl/5JidoTtm5xwP15TLrPLWueB+vh22E5tsiJdXdpgwMvkY8eHcE gyMGmXUNJ0yRvxV3mLZdSGlSKGAef2JyXOlh2ztwKo0HIDYE60CUxDSdf3gX DRCSvlNBzlk1k5VlHZUmReDc7/ZnOeGD/1xHQ2Ct6f+fQam9OOKE6Q== =wUp3 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, To build private keys without passwords, either: - easyrsa build-client-full cli-name nopass (The original method) or - easyrsa --nopass build-client-full cli-name (The new method) Option --nopass can be either --nopass or --no-pass All will remain supported. Without one of these options, the key will be password protected. You do not need to run openssl to encrypt the file further, but that is entirely your decision. To customise options specified by vars, in the case of email use: - easyrsa --req-email=n...@example.net build-client-full cli-name Add the options you choose for passwords. See 'easyrsa help options' for more. FTR: OpenSSL claims that email, if used, is generally the email of the CA administrator, not email per client certificate, but that is entirely your decision. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkBhVqCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABR2Af8CxIFQmowkfnW/YCy7T3UYe2DSeHdXQIxZ+08nG6Uq2eOijwj NAcS3XVd++Ca2nCSxLD4T99+zKVUK8jjgTIk5V4ZrsoOPRdsO55YzG3uDwMG I3iERCg+YPcNYf4L6f8P0FQGD7D64yfLDiGKUbelfjEuzcGyIvCtXuvhKwyg S5Ny58ugAbje3ZFCXOxqXyCz380rGkTKvgCDwtfGoooGWlGGO8z1vc8LJvcF C6dMhlCjdZITQ4eJC0cgvPsgJjFAdu5KfJMEyLQv/J77IK1QwS6an0D3Q3NF AJrCx7ydEze6DTqfUYhpSvqPvnt4/rISYIlaS+O2tRDOJIOx7i5pbg== =XJxE -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Follow-up: https://github.com/OpenVPN/easy-rsa/issues/905 --- Original Message --- On Sunday, March 5th, 2023 at 22:03, Bo Berglund wrote: > On Sun, 05 Mar 2023 18:15:02 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > Bo, > > > > first, please accept my apologies for putting you through this torture. > > Somebody had to test it one day, that day has come. > > Second, thank you for persevering with me. > > Hopefully, I have found a reasonably simple solution. > > Thanks, this worked a lot better! Phew! Thank you for your patience and determination! It has been invaluable to solving this issue. > So here is one item that I probably got wrong: > I thought the environment var setting should be: > $ EASYRSA_TEMP_DIR="$PWD/tmp" > but it seems like it should be the easyrsa main directory, right? EASYRSA_TEMP_DIR can be any folder which *already* exists. 'easyrsa' will not create it for you. And you must have write access to it. I chose $PWD to try to ensure we had a similar working environment. > > And this should be: "VERBOSE=1 ./easyrsa upgrade pki" in order to work... Yes, indeed, i forgot the path ./ qualifier. Note: easyrsa can be run from your $PATH, eg: /usr/local/sbin/easyrsa > I will send you the session logfile I created for this run separately. > As mentioned off-list, your log looks "text-book" successful. > > If it complains that your new pki already exists then please remove it and > > try once more.. > > > There was no pki dir when I started, but now it is there. :-) And summer cometh ;-) .. good news indeed! Everything else also looks fine. But let us not jump the gun. FTR: Yes, this upgrade is essentially to move files to where they are expected by easyrsa v3. It also removes old easyrsa v2 shell and .bat files. And, recognition, is now better than it was before! Thank you R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkBSW3CRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACeegf/WD07z5jA7dvpGRfObv7NA/WnPWvHI9WiWnCeYqqMPXTDe/Re Ok3JxCVRO4ERzzu8WWaIzMGIerHc9SCL5SVASSWz/oVEPUH/0qbKrje+WpZt F4+BDbhdrBn1naMCpEPEIAiqBNnbDoRO5VwehIAhBOz9WDQxcpwdV7mhHLjh lzzMNtZvAn2ayATnDi1OZCfj3nLqYaN5WBzQk+X2gdI0EJgCHtWGOoOsypJ3 fjD1jm39c4b4MmIxfmuGnEH0dDXvCML/Fsm+cMwODb9cWqlk4ETU+n4EUHT6 YoWshI4AT9Vf42CPul3lrV/oXaRJZsedLcerJKYyEMiO+w6P0h2Nbw== =k4Jd -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Bo, first, please accept my apologies for putting you through this torture. Somebody had to test it one day, that day has come. Second, thank you for persevering with me. Hopefully, I have found a reasonably simple solution. Required changes: Keep the "mismatched CA to vars file" as a warning ONLY, keep that current change. Now, locate this code in function up23_do_upgrade_23(): up23_verify_new_pki up23_verify_current_pki up23_verify_current_ca up23_backup_current_pki up23_create_new_pki up23_upgrade_ca up23_move_easyrsa2_programs up23_build_v3_vars up23_create_openssl_cnf Change that to this (Copy/paste as is): up23_verify_new_pki up23_create_new_pki up23_create_openssl_cnf up23_verify_current_pki up23_verify_current_ca up23_backup_current_pki up23_upgrade_ca up23_move_easyrsa2_programs up23_build_v3_vars Then, locate this code (Almost at the very end of the entire file): upgrade) up23_manage_upgrade_23 "$@" ;; Change to this: upgrade) secure_session up23_manage_upgrade_23 "$@" ;; The actual diff is: @@ -5156,14 +5183,14 @@ up23_do_upgrade_23 () up23_verbose "" up23_verify_new_pki + up23_create_new_pki + up23_create_openssl_cnf up23_verify_current_pki up23_verify_current_ca up23_backup_current_pki - up23_create_new_pki up23_upgrade_ca up23_move_easyrsa2_programs up23_build_v3_vars - up23_create_openssl_cnf if [ "$NOSAVE" -eq 0 ] then @@ -5734,6 +5761,7 @@ case "$cmd" in make_safe_ssl "$@" ;; upgrade) + secure_session up23_manage_upgrade_23 "$@" ;; ""|help|-h|--help|--usage) This should ensure a temporary session and files can be created. Finally, run the upgrade like so: $ EASYRSA_TEMP_DIR="$PWD" VERBOSE=1 easyrsa upgrade pki If it complains that your new pki already exists then please remove it and try once more.. I am cutting the rest of this email for brevity. Highest regards Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkBNwMCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC6CAf+NnyNC1zDC59S6qGMY8t6t2bcH34+KT+HtoRhkh05aZRL34/4 oi6OfHyZ5HpEQf3Lx2Eb7vbIeIT4JMqr9MbVJlxgO9Fh7kqvrbBpUoUVKXzu KH4RArdTU6dVjlfel05AoPLRykPZrPb1hSVhKniUDF2wnuscC0UDeLQkcM3k ytTkNzG6CNTg/BBGS8ai2tQLrCJ63QZsTMO9qkEiBQJ7n4AbcmzXUeOJ3tep ecGphC4eQkXgV12FVoEEFw6zkPeLSprQL5eghcLLkle4Mfj5KmPlJcGCjJz2 tP55kmDBMeCMrtYnWIqQvr96BzOeGWXrUNLNHZre81/38S/9HJOGcQ== =ouEd -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, please remember to copy the mailing list. Comment below. --- Original Message --- On Sunday, March 5th, 2023 at 09:53, Bo Berglund wrote: > Hi, > I tried to figure out why the CA check failed by reading what easyrsa does > when it issues the error message... > It looks like it tries to verify the content of ca.crt against the vars file > using the easyrsa_openssl() function. > > # Match the current CA elements to the vars file settings > CA_vars_match=1 > [ "$CA_countryName" = "$KEY_COUNTRY" ] || CA_vars_match=0 > [ "$CA_stateOrProvinceName" = "$KEY_PROVINCE" ] || CA_vars_match=0 > [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0 > [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0 > [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0 > [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0 > > if [ "$CA_vars_match" -eq 1 ] > then > CURRENT_CA_IS_VERIFIED="partially" > else > up23_fail_upgrade "CA certificate does not match vars file settings" > fi > > So I issued the extraction command on the command line as follows to check > what is actually in ca.crt: > > ~/openvpn/EasyRSA-3.1.2/keys$ openssl x509 -subject -nameopt > utf8,sep_multiline,space_eq,lname,align -noout -in ca.crt > subject= > countryName = SE > stateOrProvinceName = Stockholm > localityName = Stockholm > organizationName = Private > organizationalUnitName = Dev > commonName = BosseOVPN > name = server > emailAddress = bo.bergl...@telia.com > > My vars file has this: > > # These are the default values for fields > # which will be placed in the certificate. > # Don't leave any of these fields blank. > export KEY_COUNTRY="SE" > export KEY_PROVINCE="--" # <= Notice difference > export KEY_CITY="Stockholm" > export KEY_ORG="Private" > export KEY_EMAIL="bo.bergl...@telia.com" > export KEY_OU="Dev" > > # X509 Subject Field > export KEY_NAME="server" > > Since easyrsa is checking the 6 items I modified the KEY_PROVINCE var to also > contain Stockholm and reran the command. > But I got the exact same output this time too. > > Since the commonName is also there but not checked by easyrsa at that point I > left that in place... > > At wits end... > > /Bo B > Sorry, I cannot see why there is a mismatch. However, we can omit that check. Find this code below the code you copied above: if [ "$CA_vars_match" -eq 1 ] then CURRENT_CA_IS_VERIFIED="partially" else up23_fail_upgrade "CA certificate does not match vars file settings" fi Change 'up23_fail_upgrade' to 'warn', this will warn but not fail. See how that goes. Sorry for all these difficulties, it always worked for me. R > -Original Message- > From: Bo Berglund bo.bergl...@gmail.com > > Sent: Sunday, 5 March 2023 07:27 > To: 'tincantech' tincant...@protonmail.com > > Subject: RE: [Openvpn-users] Easy-rsa 3 config questions > > Hi, new day more testing... > > Things changed a bit and I got a new output after using the easyrsa file from > git trunk in place of the 3.1.2 release version. > > Attached is what I got now, where the temp issue is gone and it really starts > looking around. > > The error line now is: > ERROR: CA certificate does not match vars file settings > > And I don't know what this means... > > If needed I can send some files from the keys dir, if there is a problem with > one of these... > > Best Regards, > > Bo Berglund > email: bo.bergl...@gmail.com > > > > -Original Message- > From: tincantech tincant...@protonmail.com > > Sent: Saturday, 4 March 2023 21:48 > To: bo.bergl...@gmail.com; openvpn users list > (openvpn-users@lists.sourceforge.net) openvpn-users@lists.sourceforge.net > > Subject: RE: [Openvpn-users] Easy-rsa 3 config questions > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > FTR: Simply downloading git/master/easyrsa is enough, > using say, Firefox. > > And yes, you only need the files that you have downloaded. > I can only hope that they are in the correct place.. > > With fingers-crossed, I look forward to our next chapter! > > Regards > Richard > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Saturday, March 4th, 2023 at 17:41, tincantech tincant...@protonmail.com > wrote: > > > > > Updating openvpn-users list. > > > > If you do not use a browser for your internet then I do not support > > what-ever method that you do use. > > > > Regards > > > > --- Original Message --- > > On Saturday, March 4th, 2023 at 16:53, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > OK, > > > I have limited knowledge of git and I don't want to check out a complete > > > repository with all historical data etc. > > > I tried using svn like this: > > > > > > svn export https://github.com/OpenVPN/easy-rsa/trunk/easyrsa3 > > > > > > And it seemed to have worked, so I will go ahead
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, FTR: Simply downloading git/master/easyrsa is enough, using say, Firefox. And yes, you only need the files that you *have* downloaded. I can only hope that they are in the correct place.. With fingers-crossed, I look forward to our next chapter! Regards Richard Sent with Proton Mail secure email. --- Original Message --- On Saturday, March 4th, 2023 at 17:41, tincantech wrote: > Updating openvpn-users list. > > If you do not use a browser for your internet then I do not support > what-ever method that you do use. > > Regards > > --- Original Message --- > On Saturday, March 4th, 2023 at 16:53, Bo Berglund bo.bergl...@gmail.com > wrote: > > > > > OK, > > I have limited knowledge of git and I don't want to check out a complete > > repository with all historical data etc. > > I tried using svn like this: > > > > svn export https://github.com/OpenVPN/easy-rsa/trunk/easyrsa3 > > > > And it seemed to have worked, so I will go ahead tomorrow morning with this > > version of easyrsa. > > This export actually got me fewer files too: > > easyrsa > > openssl-easyrsa.cnf > > vars.example > > x509-types (a directory) > > > > Are these enough for now? > > > > /Bo B > > > > -Original Message- > > From: tincantech tincant...@protonmail.com > > > > Sent: Saturday, 4 March 2023 16:20 > > To: bo.bergl...@gmail.com; openvpn users list > > (openvpn-users@lists.sourceforge.net) openvpn-users@lists.sourceforge.net > > > > Subject: RE: [Openvpn-users] Easy-rsa 3 config questions > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > > > EASYRSA_TEMP_DIR is a temporary directory, which MUST exist > > and you MUST have write access to it. It can be anywhere. > > > > Also, env-vars can be specified on the command line. > > eg: $ EASYRSA_TEMP_DIR="/tmp/easyrsa" easyrsa upgrade pki > > Without ';' termination, is valid. > > > > Finally: > > There is a bug in EasyRSA 3.1.2 which has been fixed in git/master. > > > > Please try git/master from: > > https://github.com/OpenVPN/easy-rsa/tree/master/easyrsa3 > > > > The bug-fix verifies that you have a working openssl before creating > > a temporary session and file. > > > > Regards > > Richard > > -BEGIN PGP SIGNATURE- > > Version: ProtonMail > > > > wsBzBAEBCAAnBQJkA2GBCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr > > kLidAAABigf9G2hForbZwvt5NBq2rSUa7okkiAsTcv6IwCC578o4RzbE2J8A > > uN63tN7+1nfblAmfcSdi5zqyxSUFjfOBESXcLjZkezeP6xA2mGfvk9inh0i1 > > Ol2GXqg5NCc7NGTn6SQLviTmD/NA2YR52NmbaGZqcrTt8szjMwKnOpKdwdF+ > > etO+YqIJMx7to4GzDsYixYtbUOeZBt7SsgeRq7NFPK9z20xoMsH8NdofwHn6 > > 4rghzJQ7cBFDZ/c65LupWV/aZTzw6lv/WHblmzpd4pEtDaSp1UJCwYOx0OAz > > 3XHq8lFd5srZs7D0K0N6Pogq9kZVLnnv3Z+brfMeqUgjolSf7FyRpw== > > =oRJ+ > > -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkA65pCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA8cgf/XwSQ+gOVtSn5Jnfkwpsl5eF61FGnc1BuiImfbwS7nsJ83XqR M4bRtM04dSdrfXXXse6jSRl9FxsR98l45OLeRV+uHuOjNtlcFkVu2byLSJgt 5KOfhrqjMYFVRsj/otzRVoa8aH7YjhmkjIOB1Ry7MlReWkt+l0tsX/J6YZR2 PF2OLefxAzDFyA65gqssNIsRfVPmhbVC6m5l27Bdt7IZChXBuWRtZYbRU1yJ 3+lCfyOzh9gPHnScNAxxqwKqXlVi7GV9eSQ+TVYf72QdE66zYrsxlo6KdqP2 3vcj+OvzPTDp6XrzjJmefBFYQvcUS8xu6rIktTXjVjFlAap1lQxwSA== =U/kN -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, EASYRSA_TEMP_DIR is a temporary directory, which MUST exist and you MUST have write access to it. It can be anywhere. Also, env-vars can be specified on the command line. eg: $ EASYRSA_TEMP_DIR="/tmp/easyrsa" easyrsa upgrade pki Without ';' termination, is valid. Finally: There is a bug in EasyRSA 3.1.2 which has been fixed in git/master. Please try git/master from: https://github.com/OpenVPN/easy-rsa/tree/master/easyrsa3 The bug-fix verifies that you have a working openssl before creating a temporary session and file. Regards Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkA2GBCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAABigf9G2hForbZwvt5NBq2rSUa7okkiAsTcv6IwCC578o4RzbE2J8A uN63tN7+1nfblAmfcSdi5zqyxSUFjfOBESXcLjZkezeP6xA2mGfvk9inh0i1 Ol2GXqg5NCc7NGTn6SQLviTmD/NA2YR52NmbaGZqcrTt8szjMwKnOpKdwdF+ etO+YqIJMx7to4GzDsYixYtbUOeZBt7SsgeRq7NFPK9z20xoMsH8NdofwHn6 4rghzJQ7cBFDZ/c65LupWV/aZTzw6lv/WHblmzpd4pEtDaSp1UJCwYOx0OAz 3XHq8lFd5srZs7D0K0N6Pogq9kZVLnnv3Z+brfMeqUgjolSf7FyRpw== =oRJ+ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, March 3rd, 2023 at 17:31, Bo Berglund wrote: > > > > The simple answer is, try it! > > > > > > Hmm, nothing seems to have happened: > > > --- > > > $ ./easyrsa upgrade pki > > > > > > Notice > > > -- > > > Your PKI is fully up to date. > > > > > > This is due to a v3 'vars' file existing prior to running the upgrade. > > To remedy this, simply rename 'vars' to 'vars.backup', for example. > > > Well, I did not copy my old vars file to the new EasyRSA-3.1.2 dir, instead I > edited > The existing vars.example file in order to increase the expire time from 10 > to 20 years > and saved it as vars. > > So the vars file is a version 3 vars file as a copy of the vars.example plus > some edits. > > Is that not what one should do? > The upgrade code assumes that you have a v2 ./keys and associated files. It assumes the upgrade is completed if it finds a v3 vars file. If you introduce a v3 vars file prior to running the upgrade then the upgrade will not run. This is all good test data, thanks, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkAjQ4CRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAB6ewf+KmUFj1l7LSpZdkVvcyDEFW82HgOQYS6+DqTzisbY9kxcDvgZ j0/FVpfR6VIhsm82cNCis724ItPV2ZZq1ZoLK+yFiZ6ftZvebkFQ4UquM7FB XiliQilBX6Doj4KoEElNZ/fjfD0LWYW+BL4cVaqvhXmvs+ORnWMB5nCUbiA2 JXmtQzqBWf+FtSrH5tDvYSH19/vCh11Ue8QJsbqFwLAwnjsqy4e+y4+Eut4J OJ1dt+a5Y0IqVjXdM8NZE4BWIG5C/Jt9FT8KyfI/+hgrOXoJPAWFCfAnQXPd sQcMxFUXUTr6nT6MdkqidmbQw+qIJCeNrADh5FVftZnu2wsj76SJlQ== =VvqL -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, March 3rd, 2023 at 15:03, Bo Berglund wrote: > On Fri, 03 Mar 2023 14:40:01 +0100, Bo Berglund bo.bergl...@gmail.com wrote: > > > So I have created a new "easy-rsa" dir by doing this: > > > > wget > > https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz > > tar -xvf EasyRSA-3.1.2.tgz > > > > This gives me a new EasyRSA-3.1. subdir in parallel with the existinf > > easy-rsa > > dir. > > > > Then inside that I did: > > > > cp -r ../easy-rsa/keys ./ > > > > So now I have a copy of the active keys dir from version 2 inside the > > version > > 3 dir. > > > > Is this then ready to execute the upgrade command? > > > > easyrsa upgrade pki > > > > Note that the keys dir contains a whole lot of client related files as well, > > four files for each client (Name.3des.key, Name.crt, Name.csr and Name.key) > > > > These have been used to create the ovpn files for each client, which are > > stored > > in a "clients" subdir of easy-rsa. > > > So I have now read the vars file and found that on EasyRSA-3.1.2 it seems like > the keys directory is now named pki rather than keys... > > Does the upgrade read the ./keys dir and put converted data into ./pki ?? > The upgrade is intended to create a v3 ./pki from a v2 ./keys folder. Certificates are copied to ./pki/issued. Keys are copied to ./pki/private. A new vars file is built from settings in the current vars file. A new openssl-easyrsa.cnf file is created. Old program files from EasyRSA v2 are archived away. Note: A Test run is executed first. All of your current files are saved to ./VERY-SAFE-PKI PKCS files are not managed by the upgrade. Revoked certificates are not moved to the revoked storage folder. The simple answer is, try it! Thanks Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkAhYaCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADqwgf/bRg7Ol9UJo2aiR2dYYPI/8TfstkP6PyYJtXHhUzMp36vjnmU 3vD8GINNuztR7wUbOE9VbHVuQC1jIpUS2gyc4COCkFtUE/0inLjeLUkl3rEh idvAmKjweKVq31qsQEz7lwM8voIhHJQ+8nPwWNpjzSZGH9May3OcvJE+rwwv zkNLug1lvQgg1C7+cvOH+zUsuTYPkhOeWIY5xkf7ISDEDSrde5bfU2cNvNK6 SeRE1Dsh3p/YsqkPz3i16trdLXx/aS0yJE7ZsCh2AzSQ75c6Pskf1n3Isb97 BBF/yOqWr2C/t+BpZMkOTdRCu8S5w8+cKIP7WePNpe+Gw6LrGvKNXA== =QbGQ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Bo, I would be interested to know the results of using EasyRSA to upgrade from a version 2 PKI to version 3. It worked in all my tests but that's not really enough. As the author of the `upgrade`, I am happy to help you with that. Thanks Richard --- Original Message --- On Thursday, March 2nd, 2023 at 16:56, Bo Berglund wrote: > On Thu, 02 Mar 2023 14:01:24 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > --- Original Message --- > > On Thursday, March 2nd, 2023 at 10:12, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > I have downloaded easy-rsa3 version to my OpenVPN server for testing. > > > I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at > > > GitHub. > > > > > > When I read the vars.example file I see that most of what I had to do in > > > the > > > vars file before is not really needed anymore. :-) > > > > > > But there are a couple of things regarding certs I don't understand fully > > > so > > > would like to get explained: > > > > > > # In how many days should the root CA key expire? > > > # > > > #set_var EASYRSA_CA_EXPIRE 3650 > > > > > > Obviously based on earlier discussions here about looming expirations I > > > would > > > like to do this to raise the time to 20 years: > > > > > > set_var EASYRSA_CA_EXPIRE 7300 > > > > > > However, the following seems also to be involved with expirations but I > > > don't > > > know for sure what to do... > > > > > > Do I need to also set these to 7300 to get a 20 yesr "working time"? > > > > > > # In how many days should certificates expire? > > > # > > > #set_var EASYRSA_CERT_EXPIRE 825 > > > > This seems to me to be self-explanatory: > > > > * EASYRSA_CA_EXPIRE the CA certificate validity period. > > > > * EASYRSA_CERT_EXPIRE the entity certificate validity period. > > > I have no real knowledge of what these files do, except I have understood that > CA is used to validate to the client somehow. > How that relates to CERT is unknown by me. > I just set this up a number of years ago following a then valid how-to and > later > I have figured out that in a couple of years or so the server will no longer > work unless I do something about CA expiration. > > That is why I got confused by the easy-rsa3 defaut having different times for > CA > and CERT. > > > > # How many days until the next CRL publish date? Note that the CRL can > > > still > > > # be parsed after this timeframe passes. It is only used for an expected > > > next > > > # publication date. > > > # > > > #set_var EASYRSA_CRL_DAYS 180 > > > > > > Isn't the last one dealing with client cert revocations? > > > > > > Does it imply some automatic renewal of the revocations such that one > > > does not > > > have to build and copy a new crl file every now and then even if no new > > > user > > > logins have to be revoked to keep the server operational at all? > > > > > > In easy-rsa2 there was no way to update a crl file without also revoking > > > an > > > additional user and the whole server locked up after a very short time of > > > a > > > month or so. > > > > > > I had to disable crl handling for that very reason > > > > * EASYRSA_CRL_DAYS the CRL validity period. > > > > If you have a very static PKI then this can be a little irritating, > > however, the default 180 days is the recommended value. > > > I "solved" the problem in the server by switching from: > crl-verify /crl.pem > > > to > > client-config-dir /etc/openvpn/ccdw > > and putting files with disabled in them into that dir and named as the common > name of clients to block. > > So no need for the crl anymore. > > > CRL validity period explained: > > > > If you revoke a certificate but forget to generate a new CRL then > > the revoked cert. will still be allowed to connect. > > > > Having a very short validity period for the CRL is a security measure, > > when it kicks in it ensures that the admin updates to a new CRL. > > > > The essential knowledge (Which you seem to not understand) is: > > > > The certificate remains unchanged by being revoked, only the CRL is > > aware of whic
Re: [Openvpn-users] Easy-rsa 3 config questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, March 2nd, 2023 at 10:12, Bo Berglund wrote: > I have downloaded easy-rsa3 version to my OpenVPN server for testing. > I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at > GitHub. > > When I read the vars.example file I see that most of what I had to do in the > vars file before is not really needed anymore. :-) > > But there are a couple of things regarding certs I don't understand fully so > would like to get explained: > > # In how many days should the root CA key expire? > # > #set_var EASYRSA_CA_EXPIRE 3650 > > Obviously based on earlier discussions here about looming expirations I would > like to do this to raise the time to 20 years: > > set_var EASYRSA_CA_EXPIRE 7300 > > However, the following seems also to be involved with expirations but I don't > know for sure what to do... > > Do I need to also set these to 7300 to get a 20 yesr "working time"? > > # In how many days should certificates expire? > # > #set_var EASYRSA_CERT_EXPIRE 825 This seems to me to be self-explanatory: * EASYRSA_CA_EXPIRE the CA certificate validity period. * EASYRSA_CERT_EXPIRE the entity certificate validity period. > > # How many days until the next CRL publish date? Note that the CRL can still > # be parsed after this timeframe passes. It is only used for an expected next > # publication date. > # > #set_var EASYRSA_CRL_DAYS 180 > > Isn't the last one dealing with client cert revocations? > > Does it imply some automatic renewal of the revocations such that one does not > have to build and copy a new crl file every now and then even if no new user > logins have to be revoked to keep the server operational at all? > > In easy-rsa2 there was no way to update a crl file without also revoking an > additional user and the whole server locked up after a very short time of a > month or so. > > I had to disable crl handling for that very reason > * EASYRSA_CRL_DAYS the CRL validity period. If you have a very static PKI then this can be a little irritating, however, the default 180 days is the recommended value. CRL validity period explained: If you revoke a certificate but forget to generate a new CRL then the revoked cert. will still be allowed to connect. Having a very short validity period for the CRL is a security measure, when it kicks in it ensures that the admin updates to a new CRL. The essential knowledge (Which you seem to not understand) is: The certificate remains unchanged by being revoked, only the CRL is aware of which certificates are valid verses those that are revoked. (This is unlike certificate expiry because the 'not-after' field, encoded INSIDE the certificate, denotes when the certificate expires.) Therefore, if you intend to revoke certificates (as opposed to all the other options that OpenVPN has available) then you MUST keep your CRL up-to-date. EasyRSA-3 "could" also be like EasyRSA-2 and do an automatic 'gen-crl' when a certificate is revoked. However, at this time it does not. It does come with this helpful message after a successful revoke: * IMPORTANT * Revocation was successful. You must run 'gen-crl' and upload a new CRL to your infrastructure in order to prevent the revoked certificate from being accepted." HTH Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJkAKwZCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABGewgAodk7ACyhzhRLahrDmqIvhEMbud1goTEhXnBB2Sv43PQMWqYj 4PvPtiykjBlHldX8cDZCD4KWfLc58G/Lse4Z0mk9oNleBIH/4VfbotuYe4ab nPU8wdcSXfnB+86i6ep+2zBGu08KY3sJkXUgS6hM+uMVWmYGPX4O3F5ni+8o DDxa5qkTu5XvupSfBa9fCxVpduTBKviWAtRTSuZwCAzOXxFM/5C9t10dtMJC wWNn6SWMe3VeXDSBkJnU7U2TzD5iHOyb6E3H7XiyQKLJHs0KESeeoUiltjXz 3UAeMCxRAmfk1VuiSsn8DBVMrFAuCZFEGrfJa3QN5YXHW7tYdgVqAA== =Ftoy -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to check if OpenVPN server is working properly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Saturday, February 25th, 2023 at 21:12, Bo Berglund wrote: > On Thu, 23 Feb 2023 17:43:15 +0100, Bo Berglund bo.bergl...@gmail.com wrote: > > > Questions: > > > > Can I extend the expiration time of my server and the cleints too before > > actual > > expiration such that this will not happen on Oct 24, 2027? > > > UPDATE (almost there): > -- > I found this forum post most useful: > https://forums.openvpn.net/viewtopic.php?t=18671#p51517 > > So now I have tested these commands on my server in easy-rsa/keys: > > Making copy of ca.crt with 25 year expiration: > > $ openssl x509 -in ca.crt -days 9131 -out ca_25.crt -signkey ca.key > Getting Private key > > Checking expiration of resulting key: > > $ openssl x509 -dates -noout -in ca_25.crt > notBefore=Feb 25 20:47:36 2023 GMT > notAfter=Feb 25 20:47:36 2048 GMT > > Checking an existing client cert using ca_25.crt: > > $ openssl verify -CAfile ca_25.crt JennyUbu.crt > JennyUbu.crt: OK > > So it seems like the new crt file accepts the old existing client crt! > > NEXT TO DO?: > --- > I copy the ca_25.crt file to /etc/openvpn/keys dir and then edit the conf file > for the services to use this new file as the ca entry like this: > > #ca /etc/openvpn/keys/ca.crt > ca /etc/openvpn/keys/ca_25.crt > cert /etc/openvpn/keys/server.crt > key /etc/openvpn/keys/server.key # This file should be kept secret > dh /etc/openvpn/keys/dh2048.pem > tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret > > And finally restart the openvpn services. > > Is this going to work or do I have to also process the cert entry > (server.crt)?? > Assuming that your original CA is about to expire then all your clients need the same ca_25.crt in their config files. Otherwise, your clients will try to use the expired CA certificate. As for the server and client certificates, when they expire the need to be renewed. It is safe to distribute certificates over an insecure medium. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJj+oXcCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABnCAf8DMkKDy/FbYy6iapAwVZk2+R/lzDPRKnC+2K0QZAea8K/7C+v UGVErqHqxdfy71Hsev+wmVXiHogsQdz3hQ1TkhGLY0QE+GhvLrdQcm9Rpbnw dVNiZicue/zsOXA8jc9blD2CZMvgnHOua5NIT/n1u1XSlm4SZHLV1PMS9Y6r nJEneptJDfoh1lt1QceK5Let6ORpoQgpJbF6xbFtHI9nM6MnjCWjanQqJRKx YZ0SNeE7lJLxBaS6sHWP5yTyNVjcq65XtR4eq41dMgVZztm3wFqrDvDnyRlz TkbwXyfHfuVMCCY6B16ywvayhQmEpKOYb10rKcd2gK3C8U3vHdnsMQ== =0bhv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to revoke user logins without blocking all after a timeout?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Friday, February 24th, 2023 at 22:11, Bo Berglund wrote: > On Fri, 24 Feb 2023 11:05:57 +0100, Gert Doering g...@greenie.muc.de wrote: > > > Hi, > > > > On Fri, Feb 24, 2023 at 10:58:06AM +0100, Bo Berglund wrote: > > > > > And why is there an expiration of the crl file to begin with? > > > > I explained that, but that mail seems to have been lost - it's because > > the assumption of the security folks (outside OpenVPN control) is that > > if you have a CRL, you want that CRL to be up-to-date at all times. > > > > The assumption is "if something in the CRL producing process fails, and > > no new CRL can be generated, better assume that everything should be > > disallowed than let someone unauthorized in". > > > So that would mean that I have to basically: > > - Symlink the crl file to the /etc/openvpn/keys dir: > sudo ln -sf /usr/local/share/openvpn/easy-rsa/keys/crl.pem > /etc/openvpn/keys/crl.pem > - Create a script that refreshes the crl file > - Run that from cron at an interval that is less than the expire time > > However, I have not seen a command to actually refresh the crl.pem file just > to add new revoked client... > > The script to "refresh" the crl.pem file: > > --- > #!/bin/bash > cd /usr/local/share/openvpn/easy-rsa > source vars > ./revoke-full > > exit 0 > --- > > I tried "revoke-full" without argument but it showed an error... > > Is there an openssl command to just refresh the file's expire date? > > I tried to read the expire date of the pem file like I can a crt file but > failed, is there a command to do so? > > The problem you have is as follows: EasyRSA version 2 will automatically build a new CRL but ONLY when you use 'revoke-full'. Then you have a fixed CRL, which EasyRSA v2 will not update, unless you revoke another certificate. That is no longer suitable for use with OpenVPN because the under lying SSL library checks for a validation date in the CRL, which it did NOT do when easyrsa-v2 was created. So, either upgrade to EasyRSA-v3, please. Otherwise, you will have to use OpenSSL command directly, to create a new CRL. You can look in the EasyRSA source code v2 or v3 for the appropriate SSL layer command. Regards Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJj+WSMCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA5lwf+JGNsxoI8COvdN8iGMbhhE4Vczz3grGFr3xYX/PDkWXEpqlRi DPS+uuAtYAE59usTjYFB+4JfGKbmMFYdGAOKnL11Iq8TXO9f1P8wIVx1SNfb BSnKDHC2YKLrHV75kxbAFN3JyhOYE6DIbDPkYAfGFCm3sK63LmJF1a2n0KhN qsEMruRWU5M+51v9BuWYxO1mEqi2tJ6juZLFgDPFstKcH8tgbv59KeTgnBwW lWXH8LoGF0WTMBSSGh6sMN46kuN3zfR9vrm9++WwD2O9DaL5woMCDJ2GN6+c qzB7hbfeE/rJZdSAhKZ925UH8R4CJQ+DGiovwQ/HlyK0pNFINBQfog== =G6f2 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to check if OpenVPN server is working properly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, February 23rd, 2023 at 23:20, Bo Berglund wrote: > I have used easy-rsa2 since I started with OpenVPN 10 years ago and I have > made > a script that eases the manufacture of client OVPN fiiles using the easy-rsa2 > command scripts. Currently I have 7 VPN servers in 5 locations running on > RaspberryPi and linux boxes. All basically set up the same way and using > easy-rsa2. > > They are closing in on the 10-year expiration now so I think I need to "do > something". > > Given that I have the easy-rsa setup with existing crt, csr, key, 3des.key and > pem files in the keys subdir to easy-rsa, what is the best way to convert to > using easy-rsa3? > > I had a brief look at version 3 but did not understand how to use it in my own > environment, especially how I would convert my makeclient script, so I kept > the > old version 2... > I guess I have to convert to 3 now, so can I use the same keys directory as > with > easy-rsa2 (rather a copy)? It holds all the crypto files created except for > the client ovpn files. > There is an 'upgrade' command for EasyRSA version 3 easyrsa upgrade pki This moves your version 2 /keys folder to the required layout for version 3. If you feel ill-at-ease with an unknown command like that then make a backup of your installation and test on that first. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJj+A9PCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAj3AgAwDqGyfVNn37/m9jYkODHNnDovJ6wInX0FtADD5vwbKX/ruSQ pcJnBdUF8NyvBl19ahvweJ72Sd9hrpJ6pRp/a01uJQL/BpNZBA3RQVojYdea 8PSg0asDHOrA4jm/+fMqN6QM7qgAj/ubBwEZb52q3uFHAdiqxVyMtDNMN5gF Ut9Vc6WMXy3vFXjF+mSpiPZlnJ5Z6liK2Tyj5Isc2NzVa7psxp6dcaBWtHJU zr39otMjQ611Fb01EEpEDi+lJS2WFoES58ztgXSZtpFXxFtvjOkv34uwhObD LcF0C/yzeQFsk+slZR7dETV42AIy7Vg5K0+t8j3knex5GroGfGTA7g== =CXyu -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to check if OpenVPN server is working properly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, February 23rd, 2023 at 17:34, David Sommerseth wrote: > On 23/02/2023 17:43, Bo Berglund wrote: > Note: The suggestions made by David Sommerseth above are also very useful. > > Questions: > > > > Can I extend the expiration time of my server and the cleints too before > > actual > > expiration such that this will not happen on Oct 24, 2027? > > > Yes, you can issue new certificates using the same private and public > keys (essentially re-using the CSR). This will issue a new certificate > with a new expiry date. Since the certificate and CA is the same, it > just works as before. > Yes, again with easyrsa: easyrsa [optional: --days=3650] renew This will create a new certificate from the original signing request. This renewed certificate uses the original entity private key. Make sure that you use EasyRSA version 3.1+, otherwise 'renew' will not use the original key. Which means you also have to distribute that entity NEW private key over a secure medium. Regards > -- > kind regards, > > David Sommerseth > OpenVPN Inc > > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJj99GTCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACe1gf/QjC99pFA7BsTOU9P7Kfoo5RuSXMsylyJxBKrLflrV0wdCSKH KBXlJEncvWErXkkVibFaqAmBdNBz8ouol5+dhvvob8sxTVcD2kSbD6Az5Fy6 rqUJjJNyDLO/VfUG57RCXc4QsnEfZ5dvz6RlM9uYrXD6KuvtYgrX4/2v28FT UDQ7DIWsYxjwQ2VzQE/dHvnH8EnvzxqbsO/CvMqmxgJQWeqEXSb0qxw887ZN +gg9JZKTwIBZlmo9AaGMM2JPlo4EDDhM8+wjeXAcJu/MYEe3Y/6nI/dJ+9lU aFiF43k7WWSDV42MJFMjWk76eJykz3pp3z4LbP+mOzxUE1rGTdIeLQ== =Qect -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to check if OpenVPN server is working properly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, February 23rd, 2023 at 15:10, Bo Berglund wrote: > When I first try (and fail) to connect then go in via the other server to read > the log I find this: > > 217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723, > sid=863c9ad5 e9b05ce9 > 217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, > ST=TX, > L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, > emailAddress=*** Your CRL (certificate revocation list) has expired. If you use Easy-rsa (https://github.com/OpenVPN/easy-rsa) then you can build a new CRL with: easyrsa gen-crl This builds a new CRL which is valid for 180 days. You can configure the validity period with option --days: easyrsa --days=365 gen-crl You can also get advanced warning of expiring certificates with: easyrsa show-expire The default is 90 days but that can also be configured via option --days Hope that helps. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJj94f9CRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAzjQgAro4N1JeNauTcaMa9zHLsXMwTc2m8iabSWu9KWXGFjnIRumN+ Z5CLIoEUmbWh6fXVJdngkzdrJRkOS3DuMgtoVhM09umKcTOOrZvEDQFdKXd3 aRGZzhbpR5qwj4rh09xz1W+rxx3BphfMYdJ/Rd+njdoh9VKUR4l/mhiYNfFL I1CElCs8J5KAJaYGSHjPLXRkvNH6qdzKo7IoX8CCCdltOL5wfnPrutLqERhj sirBg8EovwEu8bT90MmPO1Xps9wPx8QxNJnB8xZL56R9Np0w15Oa9LeLUJO8 OTBC9RrA5FleGeDDl1oLdlGXIFioIzwX0dyLj/PFyRaUXQwvVW7rPg== =xBBZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] buglet in crt_not_after computation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Steve, if you find time then a more thorough test is easy: Use --fix-offset=120 when building a client certificate. eg: `easyrsa --fix-offset=120 --nopass build-client-full client01` There is no rush but I would like to know if that works on your host OS. Thanks R Sent with Proton Mail secure email. --- Original Message --- On Monday, January 23rd, 2023 at 15:56, tincantech wrote: > Hi Steve, > > Thank you for testing and feeding back. > > I put quite some time into testing the various date programs; > it is good to know when the code passes real world testing. > > Kind regards > Richard > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Monday, January 23rd, 2023 at 15:49, scs+sf_o...@eskimo.com > scs+sf_o...@eskimo.com wrote: > > > > > Richard wrote: > > > > > my mistake, v3.0.9 does use date for build-x-full. > > > However, if you could also test latest release 3.1.2 > > > that would help. > > > > Thanks for the quick response, and sorry for the delay in replying. > > I downloaded and tested 3.1.2, and the buglet no longer occurs. > > Thank you. > > > > Steve Summit -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjzq/6CRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACdZwf/Yyb56oEU/zPjmCGDihsvfc3L9fTQOmkmSw2cikSa2ef209ZU bbndgB9Uo1xtdMhK3NSxWATYCjOLsuOZ13D2FQE9sGFj1Oh+ujJjnht5ULnf w9lSThyQFYAHRusDSfX1PHk13is3D6Woa7loxTvWWIcA6lkeWj1iuKAncucE zFYqG0NxEa48kuGKvRPAdJgBWjtINYJFXQ0jyeBkke8MarIWt3jGUmxlrE/i BQoka7fSXyvFIQdBnP2n1vaydm5rRHfZPqge12xUonX2wXeEFlO+QzKFI1jE vasBKIXdK1u4km49yjeJ66JWbcCBn39te3uVs5JWeSKCvF2TJLNwTw== =73wk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] buglet in crt_not_after computation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Steve, Thank you for testing and feeding back. I put quite some time into testing the various date programs; it is good to know when the code passes real world testing. Kind regards Richard Sent with Proton Mail secure email. --- Original Message --- On Monday, January 23rd, 2023 at 15:49, scs+sf_o...@eskimo.com wrote: > Richard wrote: > > > my mistake, v3.0.9 does use date for build-x-full. > > However, if you could also test latest release 3.1.2 > > that would help. > > > Thanks for the quick response, and sorry for the delay in replying. > I downloaded and tested 3.1.2, and the buglet no longer occurs. > Thank you. > > Steve Summit -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjzq4fCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADEwwgAzArDpf3ukODBA0HBrpgL34ov7AD05sQZ3iIAazDGxI6vCoOG pBV4gz9sXx7iZDorMk0SOUoOn41SpE5AbbcD23RKQ2zi9q5+AabPmXVZM3wX Bv7hNPpO4pgaw8LUYnpjoMcursjweUxtWEsXKsa+4VyHUnOo3yX/O/9BzZqq CjAZcg1eyX+qWSMm7N2HJwPwTEoQNpjqcPanw4lwaTxUSwDVUfey1Lh4SrnH fD8TYLFphqJJ/4vMzhlABIWOzlmLmx2QnDQvQp2nL5TAF1LmHcOVgAgsgMGY 7vP/riK8+SnL1ifaYTYbqptmyOK6uaET9etcIxlpYCkFR2R7Z2cr5w== =+cRx -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] buglet in crt_not_after computation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, my mistake, v3.0.9 does use date for build-x-full. However, if you could also test latest release 3.1.2 that would help. Thanks Richard Sent with Proton Mail secure email. --- Original Message --- On Thursday, January 19th, 2023 at 06:17, tincantech via Openvpn-users wrote: > Hi, > > EasyRSA version 3.0.x 'build-x-full' does not use date. > > You must be using version 3.1.x > > Please check which version you are using. > > Releases are available, please try latest: > https://github.com/OpenVPN/easy-rsa/releases > > If the problem persists then git/master has had a patch > which could impact this directly, please check that too. > > Thanks > Richard > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Thursday, January 19th, 2023 at 04:09, Steve Summit via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > I've discovered what may be a bug in easyrsa 3.0. When I try to > > create new certificates with build-server-full or build-client-full, > > I get these error messages: > > > > Failed conversion of `'' using format` %b %d %T %Y %Z'' > > date: illegal time format > > usage: date [-jnRu] [-d dst] [-r seconds] [-t west] ... > > > > My specific invocation was > > > > ./easyrsa --pki-dir=pki2 build-client-full test1 nopass > > > > This is on a MacOS system (version 10.13.6, but I don't think > > that matters). > > > > The error seems to be coming from the line > > > > expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)" > > > > in the cert_dates function. But it appears that crt_not_after > > has not been set, presumably because cert_dates was called > > without an argument. > > > > Despite this error, the certificate seems to be created > > successfully. (It looks like the logic that's failing has to do > > with renewals, and might work fine during renewals, and is not > > needed during initial certificate creation.) > > > > Thanks, > > > > Steve Summit > > > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjyOlaCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAByuQgAuqqiGDiyMFA7OEpO6i0Emr0vseabNNwtTv+esXjUtgUx7TNq +TeEKTfT+/eRJDnJhthdAJL3egkL0ZRalEvEwvqnXb5q0nj5cdJyapXXtaiA 1qa/LpWVFl/wI50MK0FHRgSESe3gP6L7Sq2lFLvc/zJ3c/tBYrj+nyFQqBd0 UZzqkjuus9fbdo00Kt0GYPm8RvZg7O43u3YKi8EaaWUmiEjWG6+h+eXFCjgf cXEN+zIQpLGg2GoWPVGCVy4hFQdbUyntlT6KVLGpSXoj4zrpjY1B1qXCvK/U HHvazvSBsFEzKYK3h9TfRhe1o1YpUlGIgy0+dEvg0VFNuGf2MGV6Ig== =KDfS -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] buglet in crt_not_after computation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, EasyRSA version 3.0.x 'build-x-full' does not use date. You must be using version 3.1.x Please check which version you are using. Releases are available, please try latest: https://github.com/OpenVPN/easy-rsa/releases If the problem persists then git/master has had a patch which could impact this directly, please check that too. Thanks Richard Sent with Proton Mail secure email. --- Original Message --- On Thursday, January 19th, 2023 at 04:09, Steve Summit via Openvpn-users wrote: > I've discovered what may be a bug in easyrsa 3.0. When I try to > create new certificates with build-server-full or build-client-full, > I get these error messages: > > Failed conversion of `'' using format` %b %d %T %Y %Z'' > date: illegal time format > usage: date [-jnRu] [-d dst] [-r seconds] [-t west] ... > > My specific invocation was > > ./easyrsa --pki-dir=pki2 build-client-full test1 nopass > > This is on a MacOS system (version 10.13.6, but I don't think > that matters). > > The error seems to be coming from the line > > expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)" > > in the cert_dates function. But it appears that crt_not_after > has not been set, presumably because cert_dates was called > without an argument. > > Despite this error, the certificate seems to be created > successfully. (It looks like the logic that's failing has to do > with renewals, and might work fine during renewals, and is not > needed during initial certificate creation.) > > Thanks, > > Steve Summit > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjyOBgCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADe8wf9FETmFF6pvw24mILaNkGWo4XFFiMQHQ4R2xs/Psg1ABhm4Wr2 7/QGGGSmbWJ/R55t4CuIIdSmC0nJPsYoM7nncAclJ/FFAPUEn0jPLbtpA8M6 cWt8Ahj9wH+jjWf0FVSlqsGOPCoaGhavpTI3YJnBm3yfkPp11Zwx5lcrEKvQ Qrpqjazu5Thtf23TIYiJHiSzl7kDWTblFcrB2kuhwh+y443V3c7bE5QwN2R9 X1sdJ4KwAYXEwJHpwFBBx3H6Lm3D8QA5Nxf4IcV6ySamKlqdLwo3c1juigWg EIgS2MEnY+7vN9vE2JchYGBtCb62xJqrPned5PDKH5Xj04p4+RDL+A== =/HxR -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] 2.6rc2 server with DCO and 2.6rc2 client with DCO: not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Ralf, I experienced a very similar issue when testing a DCO server. For me, the solution was to remove ALL compression settings from the client CCD file and server conf, including what appear to be compatible settings. I don't understand the reason why, perhaps a simple disallow any compression settings or perhaps disabling compression via eg. --comp-lzo no, is not what DCO expects. Either way, I had to remove ALL compression settings from CCD AND the sever config. IE. NOT use any compression settings and to accept the default. Worth a try, at least. Regards. Sent with Proton Mail secure email. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBQJjyCwxCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACE6Af8DQe7HFy6rV5Z8zEsWgpxJ3YnjRHT1zZVtGaJSITZz2uHUnHT evSSichlFtuv5fsosS/ZWhaLWgT937g3hQPAhXr6fadPuHOtpBthuV6cI9bU jWZqz5G8WnKN8WOq/T9bafhQq1EfAqs3HSVyqFfuIGPPTV1K+NRefLXFnZC5 HYSFfEbUsJfUXZW02Yi3Q15riwVJbDq01FyyLqiSt3N23jqHpeDDbB/ibn0h tedMBmI1Dq6VBcceD2kFBFAu0OuLgqbcRBtYw44gRmhuaSd0TyIrReguw7QD vwpdF5fbAEZvwL7Y3coCTDEfPZabjM56BIo+EcBXilDtRpxRdsFLkQ== =w1Kr -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Dealing with CA expiration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Leroy, It sounds like we are, more or less, on the same page. For me, only two points remain: 1. > In case it matters, the server versions are OpenVPN 2.3.10/OpenSSL 1.0.2g It matters and, after *ten* years, it is time that you understand why. 2. I will never endorse an Easy-RSA command to renew a CA. In my personal opinion, having the command `renew-ca` in Easy-RSA, makes things far-to-easy to shoot yourself in the foot. I mean no offense but I do have strong opinions, please accept my apologies or any misunderstandings. RTB -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjYDsdACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ12CggAp/IwrHWmFCeDJlBYtfWnyAEJoxLuKzzZozlWmPWimwegxFx5 4hT++VmbkenBEEhd0V0tzHlVDFFlwc1/QSkQX8eNSry1r6z6kcIwyXLOWalV ywnjDlu9HjSvjCXwnvErvPD2lvDxE9awTw7IiDy3hy2hvKnmBTIpkkl8Wyu/ jHGJfceLtLtGRvCmMVCc3RmV5gkaeJmHsB2lCM7EihRRYrlZLUfiZPAhbv3s 9Cw89lRwnu4f3l6EfQ1D3vF723M6SUPgaNyhQqDijSYfAB6kluNwxu5emeNj HH4wUBpliYJqaGRpl4h9yO7Gyi/f1CHpzFeSp2tu4GErkldumF85Gg== =UrVl -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Dealing with CA expiration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Thursday, October 27th, 2022 at 5:16 AM, Leroy Tennison via Openvpn-users wrote: > After 10 years this happened to us, fortunately on a small VPN. In rushing > to get service restored, i used easy-rsa's build-ca, big mistake - had to > recreate all client certificates. After some research I found that "openssl > x509 -in /etc/openvpn/easy-rsa/keys/ca.crt -days 3650 -out ca-v2.crt -signkey > /etc/openvpn/easy-rsa/keys/ca.key" seems to work. I also used > build-key-server because the server's certificate had also expired and that > seems to work as well. When the new CA certificate and server > certificate/key pair is configured in the conf file and OpenVPN restarted, > existing clients with unexpired certificate/key pairs were able to connect > and function. > > My question is "Is this the correct/best way to handle the situation?" If > not, what is? First, it is true that Easy-RSA could have a CA renewal function, it is even of the list of requests. https://github.com/OpenVPN/easy-rsa/issues/379 Second, if you used Easy-RSA to build a new CA, did you also re-initialise your PKI ? I'm not really sure how well renewing a CA works, because, I presume that you still need to distribute the new CA certificate to your clients .. So, it is debatable how useful renewing a CA really is verses building a new CA and distributing new client config files. As for best practice: When the software is free, please accept a share of the responsibility. br RTB -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjWxOfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0u9ggAtAiIbi0XpaSkJhs7e+Ie8FXqon3ZTmiD42jbi0HMoWe9lfok lgLjj9fh4ulou6d44V4TEv/15hdRSId2jOP3qzwwJLuLRYsviaM1mizqOZ+D BDVQgoxijGGjXrrLKlnI0CkbXcTrf/58bGOMxzea6rqS+hJmFkAg7yuVri9A aKdXUXhck+JSvtbEv5dMRJvS0rW3ub9JRQ9iGNp93oj0csxzkA4f2VJsfyTI GuEe2jgjGD7a+XXwEBsORV9Sus8lVnl4RVWBxxtFLzoCJqcK/GnDpyoBKXy4 B1k5nkPeD9n9zpPCm9jm8TOit80+1Kw5OgH4V/xUN5CSHq/9Q9ofhA== =bcz9 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Wednesday, September 28th, 2022 at 18:18, Bo Berglund wrote: > On Wed, 28 Sep 2022 16:03:11 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > I can only presume that you have never heard of Easy-RSA before. > > > I have used easy-rsa version 2 since 2013 or so I recommend that you move to Easy-RSA version 3 but wait for v311 There is an upgrade procedure to make your PKI v3 compatible. If you have problem with that then I can help. Always make a backup first ;-) There is also Easy-TLS: https://github.com/TinCanTech/easy-tls That may not be something you would find useful. (Not officially endorsed) As a developer from Sweden, I would hope that POSIX/sh is something that you would have some familiarity with. The code there-in may be of some use to you. Both Easy-RSA and Easy-TLS are POSIX/sh. I only post this info because I get the impression that it could be useful to you. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjNIdaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1q3AgAwDsutOqydf5gffoqHpao/jq2WeILo0Io9LTUHLg6mShi2Tq2 5keeN+YWzSpM/vV85ib0h1xNscLhM8scXbIq2hTqKowV6ZvosRZs3dW0G2mE g1wQqlwlJgGKIUd2RoQWMDVQtrUrgrXb+F6hNAHYK3W6Nv+PbDdpzlSkftET 12o3lefOxim/YXalRvYDTAr8kxobc8QSKnXdznIevIDHasu1Dbo6p6kB4b0P 3GjM8EPhZwh0gwVsdenCWn2/RUne6R8fzsBJ/JRUVXVfHV/6WOmcDcPvfoCJ w1n+kzKcVvzBx0da3pxZFXUUVaofCyC2qVwP0ZwtzPFfRE7N6r69yQ== =BEYv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Bo, the imminent release of Easy-RSA version 3.1.1 has tools to manage your PKI with relative ease. https://github.com/OpenVPN/easy-rsa Command `show-expire` will list your entire PKI, a subset of it or an individual certificate, at your request. I can only presume that you have never heard of Easy-RSA before. Sent with Proton Mail secure email. --- Original Message --- On Wednesday, September 28th, 2022 at 16:51, Gert Doering wrote: > Hi, > > On Wed, Sep 28, 2022 at 11:18:41AM -0400, Bo Berglund wrote: > > > > > -BEGIN CERTIFICATE- > > block of characters > > -END CERTIFICATE- > > > > > This is the client certificate (that the server will validate). > > > I don't know what each of these crypto sections does and if they contain > > some > > expire info... > > Or which section contains the date... > > > The not-before/not-after dates are encoded int the x509 blob in . > > > So, the "grep -A 100" command given will extract "cert plus everything > after it" from the config, and "openssl x509 -in $file -noout -text" > will decode the certificate for you. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjNHArACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0o/AgAv2DL+6dvWr5RH630RONmVqWurEKCwo8OLLyJAGXeqQ5sU2Wb wv1idZbVPrumlQMSa/34jPyD3N/ShuRn2o9nlB8B6MHHRoR38AfU8eyrDrAz ga0RDJCbluK/KuHsshTMeIyZmkbwQ03+D8iXNUbl4sNZZz+IW42WTi+DTqgY 2Sp5OM2a1C7cAUBIMSiFWUbHxxqqRxt8GJkpo9F95nbX5e17sIRea9MkeyVN Sfz7FGVj4WPoARqmPbluubT7/7MUoNtOfUEX69TIzWKcmOhZm2f8XJY8C60u sEBtjc1WVtlOMXuEvccWCDLdl8N6cMx7lv5c3Ab8FTuJ9Fxg6kjxvA== =KK+Y -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Thursday, September 22nd, 2022 at 19:25, tincantech wrote: > --- Original Message --- > On Thursday, September 22nd, 2022 at 15:06, Sebastian Arcus > s.ar...@open-t.co.uk wrote: > > Server: openvpn 2.5.7, Linux Slackware > > Client: openvpn 2.5.7, Windows 10 > > OpenVPN server lan subnet: 192.168.112.0/24 > > OpenVPN subnet: 192.168.114.0/24 > > > > server.conf > > > > proto udp > > port 1194 > > dev tun > > server 192.168.114.0 255.255.255.0 > > push "route 192.168.112.0 255.255.255.0" > > push "dhcp-option DNS 192.168.112.1" > > push "dhcp-option WINS 192.168.112.1" > > push "route-metric 500" > > ca "ca.crt" > > cert "server.crt" > > key "server.key" > > tls-auth "ta.key" 0 > > dh "dh.pem" > > It is also worth mentioning that --topology net30 is deprecated. https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Changedefault--topologynet30tosubnet That may help routing. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjM1hqACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1u2wf/SS5+Hq+IpOnaVdC4RhmHSyA0BThafEwiPNl5Fu8Bq1SuMBGb 2UWwfDVmc8PcIpkRmpHykFfBNdEQT3WeZeo+Cqxy1PbbbPEKO33QUO26jZTb ZwTlmTBPvxzolhj+74gHqhk8DCAX4Z2g0aBBG/ttyrIjzgdLHMI6DpgptR20 4Udq2rRMUDxfJvHvsT3SlVtQxxeWrrJP0dvCkVY29qkL9Lqqbt6iyRmTMsac yNSOonWUSDQ0JtNaYYBw9WVADYr9RE0IkVPutWrYt9e2ksqpSGYBVD1CQJq7 XmiQf4iYIMdeMjrLH0dybm5SUgdz6cSgt+Pe3wlOHE3ew20v3CDkMg== =GmJ2 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Thursday, September 22nd, 2022 at 15:06, Sebastian Arcus wrote: > I use openvpn on laptops to access the vpn server and the network behind > it. When the laptops are connected directly to the vpn server home > network, to stop traffic going through the vpn, for years I've used > successfully the route metric directive: > > push "route-metric 500" > > The 500 metric is supposed to be higher than wired connections, so the > wired connection was preferred when connected to the openvpn server home > lan, instead of the vpn connection. > > This doesn't seem to work properly with Windows 10 any more. Although > the route metric does get set correctly on Windows 10, it seems to just > ignore it and route all traffic > "route all traffic" is obviously used out of context here, see below: > Does anyone know if Windows 10 now behaves differently with regards to > route metric? Is there a new recommended way to deal with this issue? > More details below of my setup: > > Server: openvpn 2.5.7, Linux Slackware > Client: openvpn 2.5.7, Windows 10 > OpenVPN server lan subnet: 192.168.112.0/24 > OpenVPN subnet: 192.168.114.0/24 > > > server.conf > > proto udp > port 1194 > dev tun > server 192.168.114.0 255.255.255.0 > push "route 192.168.112.0 255.255.255.0" > push "dhcp-option DNS 192.168.112.1" > push "dhcp-option WINS 192.168.112.1" > push "route-metric 500" > ca "ca.crt" > cert "server.crt" > key "server.key" > tls-auth "ta.key" 0 > dh "dh.pem" > > > > client.conf > > client > windows-driver wintun > proto udp > remote vpn.remote.address > port 1194 > resolv-retry infinite > ping-restart 10 > persist-key > persist-tun > key-direction 1 > remote-cert-tls server > ca "ca.crt" > cert "client.crt" > key "client.key" > tls-auth "ta.key" 1 > remote-cert-tls server > > > No where is "route all traffic" set by either side. For clarity. > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjLKiCACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0L7ggAqSZPe0r+Px/Rngvixgx2L82qqb4csJzGhH2Je/xZvkQODIwJ vVDytYSJrozR/FkLtuAB4wkWzZumhkm0vvjbJ+RqZHsQAV/AZ1BcTh0qiJEX cHc6I6ajaB8k8rsmhSKM1fbHzpX1urOSDIW5lQ1a9ePJv3oxMqmjV2sU8C/F Ywa0i2kyIw4//2W7cJSvwjlyhuPzQ1cfxND78czbejegx7cjRe4LaQA6Dq+k rb065mvt8Mjzj9+16APGuEebwjvDT2W9dvVa5QEg5P8vdzFv8tH6GXJo6ZhK bEJwZ+TWLuGYVXn0W5d9nb8Z0W3nwsVt3kLsgxv33fV7sLag5urFhA== =lkIC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Commanding remote client to reconnect following server reboot?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Wednesday, September 7th, 2022 at 16:46, Bonno Bloksma wrote: > Hi, > > > > > But doing it without VPN is hard when the ISP is not providing a > > > > public IP address to the connected device... > > [...] > > > But when I switched to fiber out there the IP was NAT-ed and the site was > > unreachable. > > Had to talk to the fiber service provider and pay an extra charge to get a > > public (non-NATed) IP. > > > I guess CGN (Carrier Grade NAT) is having more and more impact, and all > because we still want to use IPv4 and there is a severe shortage of IPv4 > numbers. > Especially on the mobile connections I see A LOT of CGN being applied. If I > go 5 times to whatismyip.com within 1 minute I will get 5 different public ip > numbers. > > If at all possible see if you can add ipv6 on the server and then see if you > can use ipv6 on the various client sites with the problems. That should avoid > the NAT problems. > The use of IPv6 SHOULD not have a mandatory extra charge as it is NORMAL > internet access. > Provided that the ISP does not also charge extra for IPV6. > Met vriendelijke groet, > Bonno Bloksma > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjGPQ1ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3mOgf/UnacvulcE9z43kuCmG9EB2cX9o58BW+5ONVkQ0eJR+GFrFfM GhF0sLMRl8A1YGb2WwUO+M/zYQKw6h0sacddMHw2f1IwOnFsx/Kq8zBO1zGL BApupDrNCzmoUEuTzvEyp6ipQYrPcOr5sNIHeqdfbp6JIipWV9luD/c5bJuN lsw7fukNdPx4KggyVk3+jEsAx7zrA6ky9GL0a5JAW7cb7CgizsSUQfJgBU0X ifpeODJZ6EbDYIqaTD1pGZHCieTtP4+v7oZEBbaLGm89gvQ7SRAeJhAxISzh s1/0yO6BpvZlxYmbcXdyPN4hm40kUUXV/zTuQNxLWalh1wkIhKBMBA== =VGmX -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Commanding remote client to reconnect following server reboot?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Bo, your best bet is to get the remote office admin to email you the router log, after setting --verb 4 in the config. Unless you prefer the _wild stab in the dark_ approach. Sent with Proton Mail secure email. --- Original Message --- On Monday, September 5th, 2022 at 21:02, Bo Berglund wrote: > On Sun, 04 Sep 2022 11:33:31 +0200, Bo Berglund bo.bergl...@gmail.com wrote: > > > On Sun, 04 Sep 2022 10:42:52 +0200, Bo Berglund bo.bergl...@gmail.com wrote: > > > > > I have a number of OVPN clients connecting to my OpenVPN server (on a > > > Linux > > > Ubuntu 20.04.4 server box). > > > Some are individual clients and some are routers handling multiple remote > > > clients sharing that router. > > > > > > So far I have had no problems whenever I have had to reboot or otherwise > > > restart > > > the openvpn service on the server. All clients seem to be able to > > > reconnect > > > automatically if the connection is lost. > > > > > > But now I have a case where an ASUS RT-AC51U router does not reconnect its > > > tunnel if the server reboots or the openvpn-service restarts. It just > > > seems to > > > have lost its connection and does nothing about it... > > > My other similar setups using ASUS RT-AC86U routers do not show this > > > problem. > > > > > > Question: > > > Is there some way from the server side to send a message to the clients > > > that > > > they are to reconnect following an imminent service disruption? > > > > Just an addition: > > I already have these related settings in the server side server.conf file: > > > > keepalive 10 120 > > explicit-exit-notify 1 > > push "explicit-exit-notify 1" > > > > Since these are there do I have to modify the client's conf file (which I > > cannot > > do since I do not have access to that site)? > > > > I have to tell people on location to power cycle the router to get back the > > connection as it is now. > > > So now I have found an old tghread on the forum: > https://forums.openvpn.net/viewtopic.php?t=28499 > > This also deals with a failing reconnect client... > > Here @Pippin says this: > > "Do not use --persist-tun on the client..." > > So I had a look at the OVPN file used to configure the ASUS router and its > config looks like this: > > client > dev tun > proto udp > remote mydomain.com 1191 #obfuscated > resolv-retry infinite > nobind > persist-key > persist-tun #<== NOTICE! > mute-replay-warnings > auth-nocache > remote-cert-tls server > key-direction 1 > cipher AES-256-CBC > comp-lzo no > verb 2 > mute 20 > explicit-exit-notify 1 #<== NOTICE! > > So now I have a client which is set to use persist-tun (I have no idea what > this > does) and the forum thread indicates that commenting it out solves the > reconnect > issue. > > QUESTION: > - > Is it possible to send a command from the server to the client via the ccd > system on connect to NOT use persist-tun? > > The reason is that it is impossible for me to access the router and deal with > its config since it is VERY remote now (1700 km). > If I could send this to the client on connect then it could hopefully solve > the > problem. > But how would that be formulated in the ccd file for the client? > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjFmUBACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3BAAf9ENlncIAkET5MhkiXuUm2FJdat4JeaRNq709Lr5d3yZT3RJuD mZDP0YFiuyUUeRqPLhgRxsRXj1iuB2MBsb0rILZCZjKK3M/e+HgYHcOap2gG LyFgisHyV+bLmNHk7ZY1FUfR6Fs7ML8iEdVrfPNKxVRCL1AYhJI7O0J8ePHY 86OE6S2Leohmp3IiZgJz86LoGCyxCt/tSenHZD0jbiohM5af4SqV1o6gYLT3 DUFxTuxJAJzKKLLB2M73W3foPi5tGq7jsCwCIfAVg+cNG1oSvNbfwQ+N9e6a NE7hTmxMOzk7XWMWGwIZF0MTlKshsfNpyXb6zg3F3nI5K7nknBAqjQ== =66eB -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to block clients access to local LAN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, either your netmask is incorrect or your calculation is. Try `ipcalc 10.8.0.136/29` I think you meant /28 Regards Sent with Proton Mail secure email. --- Original Message --- On Friday, September 2nd, 2022 at 06:56, Bo Berglund wrote: > UPDATE-RESOLVED: > > > This iptables rule did the trick: > > iptables -A FORWARD -s 10.8.0.136/29 -d 192.168.119.0/24 -j DROP > > What it does is that it blocks local LAN access for all clients using an IP in > range 10.8.0.136 .. 10.8.0.151, in total 16 addresses. > > So by using ccd on clients that are not supposed to access the LAN and give > them > an IP in that range blocks them from the LAN while still accessing the web. > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjEdKxACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3kUgf+LsiXmPLk2KJoa39qNw0Lk1A4CrnW54fY68Jwho5VoWfLIGqO wuRtGHX48yRPEvxDXcG85YtNx2alyNaL+khUOy3JycdAz5kwzF5T5vWQnUIs PZsBlFakLyjayPaR1cBbgouET/rO75QST3TRSZPB6zuQIH8KgNDWc517XnC2 TUQbrtyj0vJorkn810jc5muTEClV7W2/yc/z0mdbCGHBeqor4dvCLgNkZ3lD CnR5Yak2yA0zQzfj6PM3KOj8gcM/zCAO8Oe4GePxAtIceN7fScfDzHnDCWJQ GjMYnC33fYPOwUWzOq16EMxZnbHVDSG0GgE3fiAagrsjU0s7sVaPyQ== =mPWI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Problem with service on windows server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, the \\config-auto folder is only created if the 'openVPN Service' is selected *manually* during installation. However, the 'Interactive-Service' *is* installed by default. This feels *needlessly* complicated. As a long-time Windows user, I am much more accustomed to turning options which I do not want OFF than I am turning options which I do want ON. Also, the installer does not have the customary: * FULL (Default) * Standard - This could be renamed 'CLIENT ONLY', if that is the intention .. * Custom - Debugging .. * Advertiser sponsored - This is common enough. which I would normally "hope" to see from a well behaved .msi installer. my2c --- Original Message --- On Monday, June 27th, 2022 at 22:49, tincantech wrote: > Correction: 2.5.7-I602 not 2.5.5 > > --- Original Message --- > On Monday, June 27th, 2022 at 22:35, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > Hi, > > > > I must point this out: > > > > > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > > > client, but ran into the problem where the openvpn service in > > > > > > services doesn’t pick up the config files I placed into the > > > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > > > > > I can start the server from the command line just fine and also > > > > > > from the openvpn-gui client, but when I start the openvpn service > > > > > > in services, the service starts and stays running, but the server > > > > > > isn’t listening for incoming connections. > > > > > > > > It is not clear if the following point effects the OP, however .. > > > > The correct folder for auto-start is: > > C:\Program Files\Openvpn\config-auto > > > > However, this directory and the README are not installed using 2.5.5-I602. > > > > This could be due to recent changes. > > > > -- > > > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiujWDACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2LYAf/Vh4nss7ejL0d+H6gCyxryTURfwoCPL60mfdqXYWuXIBHN19c rB5lMr3oa9yzx3MU4ga6zBQzbXlwEw3F7wGVokqNDP1u+BSzjQIIYZsC2QBD wdQMa2wdAIOpwwUml3DIyuz68vFmotXYp37DcafHt/tgTyWLNcaXrLSopM7K ICwjKFrJ0Wd3Fz9eqMMBMeOimYFCMlqNbYqUWur3Ve9GNMuaou6pURo0X0+e Gqmxo7QoGDPVYR59NXL2LQTO8mCAVRkd/9oAUbmpP7d/XuKMBPoPo/gcChx6 k1NGhNQR8DqsyK8vA/xFCIiBhg78NfgZMY2qk0Iq4heyGi+z5KZc0A== =2LbF -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Problem with service on windows server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Correction: 2.5.7-I602 not 2.5.5 --- Original Message --- On Monday, June 27th, 2022 at 22:35, tincantech via Openvpn-users wrote: > Hi, > > I must point this out: > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > > client, but ran into the problem where the openvpn service in > > > > > services doesn’t pick up the config files I placed into the > > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > > > I can start the server from the command line just fine and also > > > > > from the openvpn-gui client, but when I start the openvpn service > > > > > in services, the service starts and stays running, but the server > > > > > isn’t listening for incoming connections. > > > > > It is not clear if the following point effects the OP, however .. > > The correct folder for auto-start is: > C:\Program Files\Openvpn\config-auto > > However, this directory and the README are not installed using 2.5.5-I602. > > This could be due to recent changes. > > -- > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiuiXkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ13EQf/TnrL903CI7XNPn+Y0Kv8CCcNnxkps0vWfk02qxmTfzE72NfX c7KC0gs7WGlmp+Ra0T0DvFugFQgLtfWiEPKe6k/4m7cn6GMISBMmIyFMsNgw awMJTSsHOiOM6o5jUnqlDLFk4rS2eb5/S7ypt5CKT35CGUsZtrF99FUn+OMT BkuAyhAQGXUXydrrSYbPR2D34hIck1KkMPuKtjDajGARlZK2nmZtOLy/FIZO pA8JMn8hK+1VE3F1dGonWeQLHX40W/iEmhBg3LQVgyh0O1mRORnNpZv2JZU2 8oNDRejr5NfwYuZpMHbetu4RhuGwGImeESl8ncH2lA7OC3qiydxdGg== =uqCH -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Problem with service on windows server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I must point this out: > > > > I am setting up an OpenVPN server on a windows server for a > > > > client, but ran into the problem where the openvpn service in > > > > services doesn’t pick up the config files I placed into the > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > I can start the server from the command line just fine and also > > > > from the openvpn-gui client, but when I start the openvpn service > > > > in services, the service starts and stays running, but the server > > > > isn’t listening for incoming connections. It is not clear if the following point effects the OP, however .. The correct folder for auto-start is: C:\Program Files\Openvpn\config-auto However, this directory and the README are *not* installed using 2.5.5-I602. This could be due to recent changes. -- Sent with Proton Mail secure email. --- Original Message --- On Monday, June 27th, 2022 at 22:09, Austin Witmer wrote: > I’ve set up openvpn servers on multiple windows machines before, but never > ran into that problem before. > > If I have the time, I might have to do some testing on another machine and > see if I can replicate the issue. > > Austin Witmer > > > On Jun 27, 2022, at 12:57 AM, Samuli Seppänen sam...@openvpn.net wrote: > > > > HI, > > > > Il 26/06/22 04:33, Austin Witmer ha scritto: > > > > > I actually managed to get it figured out now. > > > I did multiple reinstalls making sure that I selected to have the openvpn > > > service installed. None of that seemed to work. > > > I finally went into the properties of that service and specified a user > > > and password to use to run the service. Then it worked! The user I chose > > > is the same one I am logged in as. Is that a bug of some kind? Why should > > > I have to do that? > > > > This is not normal and we have not heard of this before. Normally > > OpenVPNService runs just fine with admin privileges and does not require > > defining any credentials. > > > > To me it seems like some Windows setting or possibly some security software > > is interfering with normal function of OpenVPNService and what you did > > allowed working around the issue. > > > > Samuli > > > > > Thanks! > > > Austin Witmer > > > > > > > On Jun 25, 2022, at 4:32 PM, Selva Nair > > > mailto:selva.n...@gmail.com> wrote: > > > > > > > > Hi, > > > > > > > > Check whether openvpnservice is installed by running the following from > > > > a command line > > > > > > > > sc query OpenVPNService > > > > > > > > It will show whether the service exists and its current state. If > > > > installed but nor running open services and change the startup to > > > > automatic and start. > > > > > > > > If not installed, you may have to uninstall openvpn and re-install it. > > > > Select custom install and make sure OpenVPN service is selected. > > > > > > > > It seems the msi installer has some weird logic in selecting when to > > > > install the service (so-called automatic service) and when to set it to > > > > auto start. The interactive service used by the GUI is installed by > > > > default. > > > > > > > > Selva > > > > > > > > On Sat, Jun 25, 2022 at 3:09 PM Austin Witmer > > > mailto:austi...@emypeople.net> wrote: > > > > > > > > Hello all! > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > client, but ran into the problem where the openvpn service in > > > > services doesn’t pick up the config files I placed into the > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > I can start the server from the command line just fine and also > > > > from the openvpn-gui client, but when I start the openvpn service > > > > in services, the service starts and stays running, but the server > > > > isn’t listening for incoming connections. > > > > > > > > The log files aren't being created either, so that make me think > > > > that for some reason the openvpn service isn’t seeing my > > > > server.ovpn file with my configuration. > > > > > > > > By the way, this is the latest version of openvpn downloaded and > > > > installed this morning. > > > > > > > > Do you have any idea what the problem is? Thanks in advance for > > > > your help! > > > > > > > > Austin Witmer > > > > > > > > ___ > > > > Openvpn-users mailing list > > > > Openvpn-users@lists.sourceforge.net > > > > mailto:Openvpn-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > > > ___ > > > Openvpn-users mailing list > > > Openvpn-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net >
Re: [Openvpn-users] How to enable timestamps in server logfile?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Sunday, June 19th, 2022 at 06:35, Bo Berglund wrote: > On Sat, 18 Jun 2022 22:00:20 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > You haven't found the file that you were looking for .. > > > Then it does not exist on my Ubuntu system On *your* system .. If the file did not exist then this command: `systemctl enable openvpn-server@server` would throw this error `Failed to enable unit: Unit file openvpn-server@.service does not exist.` -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJirvXHACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2YbwgAzNaeRd7SS0fVqLlwWExVOIOLH0EuygRQwH4KuVnXYDv7m52o UOID1XFZ2SvKCirqKWGozekXSdI6m2Dd34Zn+7rya7dux0pYoyDapROXC/Dl fYaT+NDauRZ7LrLKx7nLPjPlRyHh6ffoZmBtnjohrgJHULZQ4Rm7Jk1hNj8Q ET45jCjyO5MtYCm4ulkL7WqWDvo5urJygc4ND0kHVUhrdacxx2hVkMFxkmUg E5+8QnZEEO7m93Bh1R2dnjCrpG1PAJmgsL+0/5LKR2kjZlZcZvNsSxcZPYKi ZHj/xFsRk/g65bcFgiZNd9YGufwh43in5bcbzcyGpmcEO9WgmYqogw== =59mo -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Saturday, June 18th, 2022 at 22:20, Bo Berglund wrote: > On Sat, 18 Jun 2022 20:01:10 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > If you want your log-file to contain time-stamps then edit the file: > > > > /lib/systemd/system/openvpn-server@.service > > > > remove '--supress-timestamps' > > > > > > I cannot find such a file... > > > > Well, you now know the solution. > > > > All you need do is find where your Ubuntu hides systemd, > > > So I searched from / instead: > > sudo find / -name "openvpn-server*" > /usr/lib/systemd/system/openvpn-server@.service > /sys/fs/cgroup/devices/system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service > /sys/fs/cgroup/devices/system.slice/system-openvpn\x2dserver.slice/openvpn-server@serverlocal.service > /sys/fs/cgroup/memory/system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service > /sys/fs/cgroup/memory/system.slice/system-openvpn\x2dserver.slice/openvpn-server@serverlocal.service > /sys/fs/cgroup/pids/system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service > /sys/fs/cgroup/pids/system.slice/system-openvpn\x2dserver.slice/openvpn-server@serverlocal.service > /sys/fs/cgroup/systemd/system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service > /sys/fs/cgroup/systemd/system.slice/system-openvpn\x2dserver.slice/openvpn-server@serverlocal.service > /sys/fs/cgroup/unified/system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service > /sys/fs/cgroup/unified/system.slice/system-openvpn\x2dserver.slice/openvpn-server@serverlocal.service > /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service > /etc/systemd/system/multi-user.target.wants/openvpn-server@serverlocal.service > > These are the files matching and I don't know which two are the real files to > edit... > You haven't found the file that you were looking for .. -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJirkrjACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ09CAgAliBU02umk0lQobpWYQbLZB6JHKE4qicHk1OYohU7btkv08Es /nu6ACm3zW6JOlFpBBPpZEql++zxGfkKFuJGBhKaD+6SWUzaCMM77/QGl2JT ELKcfeTGLnDSX3mnsIjbnyMEXX2eFdz50sKr6kbcRVeFhhXPNzCDsY0IDOv0 rql+6h4aJ/e1MeyI2QoNw9kqctwSnFxKeqBR2xoL2oyYFWWhm33ukIhNTgvu 0LiPb8lHj7el6/Yp5kBdV7D0brq3gM74VO5r7dIxAcvLG729rNY3WN8hE+Mu WFPBRZgxf4yM0keI5BPaSUJBFnY4HZAtSWcTdum51EwGz2AGiGtU2g== =LKQC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Saturday, June 18th, 2022 at 18:03, Bo Berglund wrote: > On Sat, 18 Jun 2022 13:46:09 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > > > --- Original Message --- > > On Saturday, June 18th, 2022 at 09:26, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > > > > > The way I did that: > > > > > > 1) sudo systemctl stop openvpn > > > sudo systemctl stop openvpn@server.service > > > sudo systemctl stop openvpn@serverlocal.service > > > 2) sudo systemctl disable openvpn@server.service > > > sudo systemctl disable openvpn@serverlocal.service > > > sudo systemctl disable openvpn.service > > > 3) Edit /etc/default/openvpn and comment out the AUTOSTART line > > > 4) sudo mkdir /etc/openvpn/client > > > sudo mkdir /etc/openvpn/server > > > 5) sudo mv /etc/openvpn/server*.conf /etc/openvpn/server/ > > > 6) sudo systemctl enable --now openvpn-server@server > > > sudo systemctl enable --now openvpn-server@serverlocal > > > > > > It seemed to work, but you might have spotted a flaw in this migration, so > > > please advice how to actually disable/mask the offending services. > > > > That looks to be correct. > > > Thanks for the confirmation! > > > If you want your log-file to contain time-stamps then edit the file: > > /lib/systemd/system/openvpn-server@.service > > remove '--supress-timestamps' > > > I cannot find such a file... Well, you now know the solution. All you need do is find where your Ubuntu hides systemd, perhaps google "search" can do that for you. -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiri72ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ25AQgAo+3Ej7fFwzYIv5V+g2aM1V/d0N42PUQCwN4IjGeYkw98Bh4R r1WkyuyJTdmEffbQK4MEds7v1GgAlT785WI2vG5fMOkv3DNi4YQ8uLEseugo 6+Dx3XmcibJBiDudUGcNx3pkw6/ZqrVORdSaJA6MIKTJdMLCfzMhtdxPimXl kFweJlRVAJWJt1s7Tnj+7hJvvSWhD1px9FFU7Aa1vs4eOGX8Vst6cTAmrDwS mMaqcFwS3p5OwZZ8+FNC5tihUM6PJPWMoNoAlnAJH5hD+LSfluRiWJGb2EXu Osl19SB5tR2dD28QhjHVvOWkQbAux1FV+3DoIXVGVU5Fx9cTbRQvZA== =fN24 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Saturday, June 18th, 2022 at 09:26, Bo Berglund wrote: > The way I did that: > > 1) sudo systemctl stop openvpn > sudo systemctl stop openvpn@server.service > sudo systemctl stop openvpn@serverlocal.service > 2) sudo systemctl disable openvpn@server.service > sudo systemctl disable openvpn@serverlocal.service > sudo systemctl disable openvpn.service > 3) Edit /etc/default/openvpn and comment out the AUTOSTART line > 4) sudo mkdir /etc/openvpn/client > sudo mkdir /etc/openvpn/server > 5) sudo mv /etc/openvpn/server*.conf /etc/openvpn/server/ > 6) sudo systemctl enable --now openvpn-server@server > sudo systemctl enable --now openvpn-server@serverlocal > > It seemed to work, but you might have spotted a flaw in this migration, so > please advice how to actually disable/mask the offending services. > That looks to be correct. If you want your log-file to contain time-stamps then edit the file: /lib/systemd/system/openvpn-server@.service remove '--supress-timestamps' -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJirdcSACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0bmwf/VZVrJWPRhRbYyMsnbm1Gl0q+azB1FKuc0dXH4Sy4dQK2cSpt 249OUTQGkGBk+IvuvqwAgncklCTW6WmN/CtifOrBxJ5DmVAD2TVSEyPRMUgB py2m6lOlkZOcbF7maUjpkHGAyFGvZe0bwh69OjzH2onPP3Q8ed5G8jhg53qE tsywtlgUd0Pby/o0Mi1fGlH56I4TK47OREg4o/QJIzXicYdzdHD88CImq+SG gYG8KZws9DBFVYIaP79Bh/n/t1YKsqx7UAMAhqS/ydj7uDdE3ZeK2tp/BGYW bHODZMWWeMqf5MtttdSKp6xPODAbRG/rOk1Mk3amXJWqPu3B4wQ7/Q== =18Fw -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users