[Openvpn-users] Smartcard based certificate OR: object length

Hi all, We are about to change from one smartcard towards another, and our team has been asked to verify whether it is compliant with some of the applications we are responsible for. Initially I was pretty confident that it would be a hasty, by smooth transition. Reality proved me wrong with re

[Openvpn-users] length ca file

Hi all, With the "ca" parameter, you should provide the full trust-chain of the ca's and sub0ca that signed the used certificate. And, as far as I can remember, you can concatenate multiple (pem-formatted) chains into one file. Is there a limit on the length, or on the number of certificates, or

[Openvpn-users] protecting private key

Hi all, One of the best ways to protect the private key (at the side of the user), is using a smart-card. Unlocking access to it, is normally done through t6he management-interface, with: -management-hold Start OpenVPN in a hibernating state, until a client of the management interface exp

Re: [Openvpn-users] VORACLE attack can only take place when three conditions are met?

Hi Javier, At one of the meetings with developpers this issue was also raised... View was, that the vpn is not the proper place (and TIME) to do data-compression. Reasoning? Most traffic through the vpn, is often ssh, https, ica, and those are encrypted by themselves, so trying to compress encry

Re: [Openvpn-users] iphone7 with keynote

You are aware that setting the MTU is dangerous? In case some part of your route requires a lower MTU, you're screwed. If you dictate a value of 1492, it will do so, even if an other router only can handle 1300 -Original Message- From: Frank [mailto:ve2...@ve2cii.com] Sent: dinsdag

Re: [Openvpn-users] http-proxy

For my reply, see below -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: vrijdag 15 juni 2018 20:22 To: Witvliet, J, Ing., DMO/OPS/I&S/APH Cc: g...@greenie.muc.de; openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] http-proxy Hi, (copying the list b

[Openvpn-users] http-proxy

Hi all, I've got a client (Ubuntu-16.04-LTS), with multiple configurations: 1) UDP 2) TCP 3) HTTP-proxy With openvpn-2.3.5 each configuration works as expected. Now, when I upgrade to openvpn-2.4.6, UDP and TCP works, but http-proxy failed. And when I revert back up 2.3.5, HTTP

Re: [Openvpn-users] Send message to client

Sort of. What we do on the client, is trying to fetch any messages pending on the server for any/specific user, after the VPN comes up. Displaying mechanism could vary for each client -Original Message- From: Мастренко Иван [mailto:ivan.mastre...@cctcom.ru] Sent: woensdag 13 december 201

Re: [Openvpn-users] VPN without encryption and auth

Disabling that all? You might as wel simply use GRE, ip4-in-ip4 See LARTC From: Abi Askushi [mailto:rightkickt...@gmail.com] Sent: woensdag 2 augustus 2017 13:42 To: openvpn users list (openvpn-users@lists.sourceforge.net) Subject: [Openvpn-users] VPN without encryption and auth Hi All, I am co

Re: [Openvpn-users] OpenVPN over ssh tunnel

Hi, What you ask is indeed possible, but imho a waste of time. If your network admin has the cheek to block openvpn-traffic, he will certainly also block ssh later on. The best advice I can give you, is use the https encapsulation offered bij openvpn itself. It is very unlikely that your admin

Re: [Openvpn-users] pkcs11-protected-authentication

Hi Jan, I have two situations, where I observed the expected conduct when changing from a simple smart-card reader towards a class-2 or class-3 reader (pinpad with just a small keyboard and one with keyboard and tiny display) - The first one is pkcs11-tools -O -l (forcing a login) I ge

[Openvpn-users] pkcs11-protected-authentication

Retrying, It seems my appended log was too long. Hi all, Has anyone positive experience with ${SUBJECT} ? Just been googling, from the 6190 results, they can be split up into: A) Countless times the the manpage or howto, simpy saying: "pkcs11-protected-authentication [0|1]... Use PKCS#11 p

Re: [Openvpn-users] Just a one-shot

Hi all, Some simple feedback. I think that the cause has been found, On the server (where I have no access to neither config nor log) I heard that the ping-exit was set to 3600. That could explain why the server did not detect the departure of any client :-) Hans -Original Message- From

[Openvpn-users] Just a one-shot

Hi all, Does anyone has a bright idea about this >From my system I can set-up a connection to an openvpn server, and all works >perfectly, until I disconnect. When I try to setup the connection again I simply see in the client-log (as final lines) this: Fri May 20 12:45:38 2016 us=869262 Co

Re: [Openvpn-users] Detecting client certificate CN during connection

True, I only spreaded new sessions among listening processes/servers. So NO load-balancing, nor H-A. Most of the time that’s enough. From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: donderdag 28 april 2016 17:14 To: Witvliet, J, Ing., DMO/OPS/I&S/HIN; rcwhe...@gmail.com Cc: openvpn-users@li

Re: [Openvpn-users] Detecting client certificate CN during connection

Putting a load-spreaders in front of a set of vpn-processes (or even vpn-servers) is obtainable with basic iptables/ip6tables rules. Simply statistic multiplexing over a number of destination ports/ip-addesses with nat. (it is actually one of the few valid reasons for using NAT on IPv6) However

Re: [Openvpn-users] Issue getting to LAN behind VPN Server

One small remark below: -Original Message- From: Bonno Bloksma [mailto:b.blok...@tio.nl] Sent: dinsdag 12 januari 2016 8:33 To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] Issue getting to LAN behind VPN Server # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P FO

Re: [Openvpn-users] Issue getting to LAN behind VPN Server

Hi Jeff, When I was reading your message. Two possibilities came up: a) smaller subnets take precedence over larger subnets, which can cause all sorts of undesirable effects when you have overlapping networks (though not appropriate in your case, I think) b) conflict between routes pushed by dhc

Re: [Openvpn-users] any way to add additional DHCP options?

-Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: woensdag 1 juli 2015 12:52 To: Gert Doering; Jason Haar Cc: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] any way to add additional DHCP options? Hi, On 01/07/15 11:28, Gert Doering wrote: > Hi,

Re: [Openvpn-users] Server listen on a specific IPv4 and IPv6 Address

Actually, I would put it the other way round: Why would want a single process to listen in on different IP-streams (udp/tcp/v4/v6) ? Consider risc reduction. If one fails, the others just carry on: don’t try to create a SPOF. Hans From: Joe Patterson [mailto:j.m.patter...@gmail.com] Sent: woen

[Openvpn-users] management

Hi all, Any idea what will cause the management-daemon to quit (telnet session broken) Except for restarting the vpn-process? Initially I started a telnet at the beginning of each client connection, but that was too slow/late. Now I permanently listen in on the management port, but sometimes the

Re: [Openvpn-users] write UDPv4 Operation not permitted (code=1)

Hi Lisa, First things that come to my mind, are too restrictive settings for apparmor or selinux, but I presume you have checked that... Hans -Original Message- From: Lisa Minogue [mailto:lmino...@mail.be] Sent: dinsdag 12 mei 2015 16:50 To: openvpn-users@lists.sourceforge.net Subject:

Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection

Everything has its pro/cons If a connection stands, it only consumes cycles and battery power. I was wondering, even if a connection was re-established with the peer-id, would full negotiation take place, requiring the access to your private key, and in some cases the prompting for the PIN?

Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection

Hi Jeff, It is indeed a strange phenomena that you describe. The proposed peer-ID might help, but that is treating only the concequense, not the cause. Why does your client change is reply-port from 50349 towards 50348 ??? NAT-tables might expire or reloaded, but one should in those cases comm

Re: [Openvpn-users] limits

Hi Gert, I was testing on UDP It does not mean I won't be testing with tcp, but that volume is near too nothing compared what we need for udp... Hans -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: dinsdag 9 december 2014 17:53 To: Witvliet, J, DMO/OPS/I&S/HIN

Re: [Openvpn-users] limits

Nice gesture, but no. Raised it from 1024 to 4096, So I presume about five pv-clients should be more than enough to solve this Hans -Original Message- From: Simon Deziel [mailto:simon.dez...@gmail.com] Sent: dinsdag 9 december 2014 16:18 To: openvpn-users@lists.sourceforge.net Subject:

Re: [Openvpn-users] limits

No, i'm typing out-of-my-head. By default we use 64 or 128, and I asked him to raise it to 2048, with corresponding network & netmask. Hans -Original Message- From: Eric Crist [mailto:ecr...@secure-computing.net] Sent: dinsdag 9 december 2014 16:10 To: Witvliet, J, DMO/OPS/I&S/HIN Cc: h

Re: [Openvpn-users] limits

Hi Jan, Yeah, I do use --max-client 2028, but still... only 1024, so it is hard coded into openvpn. It is not such a big deal, as long as you know about it In real life, it will never occur, but it is hard to emulate 2000 "real users" I will try testing from several virtualized clients, each havi

[Openvpn-users] limits

Hi all, I've been trying to do some testing in our lab. We rather find out about impact and limitations in the lab than later on in real live ;-) I use to think that the max number of unnels per vpn-process was limited to 250, But much to my surprise, this is apparently an urban-legend. >From m

Re: [Openvpn-users] Layer 2 tunnel (VPN)

I fully agree with Sameh, You can do L2 tunneling, but you should very much ask yourself: do I really need L2? Turning on a network analyzer (and measuring the wasted bandwidth by all sorts of broadcasts) may be enough, for thinking otherwise. Sure, with your firewall you can block most of it, b

Re: [Openvpn-users] CN-surprise

Thanks all, It seems with openvpn you have more freedom and you are much more in control yourself, compared to server/clients-certs on web-servers/clients. The amount of freedom is a relief, (as long as you are aware of it ;-) Tnx, Hans -Original Message- From: Gert Doering [mailto:g...

[Openvpn-users] CN-surprise

Hi all, Where & when is the relationship between the URL of the vpn-server tested? During server-startup? As in all the how2's wiki's and man's, I have a (test) vpn-server and its URL is in the CN-field of the server-certificate and I use that name on client machines. Of course such a schoolbo

Re: [Openvpn-users] RE 2.3.5 - systemd

Sorry Gert, In my previous mail I had both log and spec attached, which the list bounced back (size) I am calling it via the web/interface of https://build.opensuse.org/package/show/home:testhans:network:network:vpn/openvpn-next (before mentioning it, I only had some suse/repo´s enabled, I l

[Openvpn-users] 2.3.5 - systemd

Hi David, In the 2.3.5-changes I noticed: David Sommerseth (4): Improve error reporting on file access to --client-config-dir and --ccd-exclusive Don't let openvpn_popen() keep zombies around Add systemd unit file for OpenVPN systemd: Use systemd functions to conside

Re: [Openvpn-users] multiple clients with same cert leads to problems

Hi Jason, I've seen something like that. With regards to "explicit-exit-notify", (default is already "1"), that only works if there still is a connection. If the underlying connection is broken, (cable unplugged, A.P.-down, power-cycle) there is no way a notify can be send :-) Perhaps it will h

Re: [Openvpn-users] http-proxy

Hi Jan, From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: donderdag 19 juni 2014 16:28 To: Witvliet, J, DMO/OPS/I&S/HIN; openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] http-proxy Hi Hans, On 19/06/14 16:07, j.witvl...@mindef.nl wrote: Hi all,

[Openvpn-users] delta-CRL

Hi all, In the server you can specify the file-location of a (previously-fetched-by-cron) revocation list. But what if admins tell you, that you should be using delta-crl's (because they are much smaller)? Should I "cat" all those files together? Or should I examine the validity-period manuall

[Openvpn-users] http-proxy

Hi all, Just visited another ministerial department, where the also might using or openvpn-set-up. As predictable, a whole new list of challenges ... One of them is related to the use of http encapsulation: At the a client you can configure that all traffic should go to proxy.company.org, por

[Openvpn-users] storage for private key

Hi all, The safest place to keep the private key, is on a smartcard protected by a PIN. Many people use this for client-side for openvpn (but also other applications) I was wondering if people have experience with storing the private-key of the vpn-server on a crypto-device, like a token, smartc

Re: [Openvpn-users] Does OpenVPN use the TLS heartbeat extension? (OpenSSL Security Advisory CVE-2014-0160)

Just wondering... This bleeding isn't only about openvpn, but all that uses an unpatch openssl-lib. On the heartbleed-bug-live-blog, they advice to regenerate private-key, and request/replace ssl-certificate. Just in case. That is all very well for people using self-signed certs and file based-k

[Openvpn-users] packet-size

Hi all, After some were complaining, I found out within my organization someone decided that forbidding to fragment "is a good thing" (tm) And certainly will not turn DF off. Most people never noticed, as their weakest link-in-the-chain is their own wifi network at home;-)) However, some are rea

[Openvpn-users] solved, was problem with pkcs11-ids

It seems i tried to be a smart-ass. Just using the unfiltered ids-string AND insert between single quotes removed the error from the log. (blush, shame on me ) From: j.witvl...@mindef.nl [mailto:j.witvl...@mindef.nl] Sent: dinsdag 1 april 2014 11:25 To: janj...@nikhef.nl; openvpn-users@lists.sou

Re: [Openvpn-users] problem with pkcs11-ids

Hi Jan, This spin-off project is for a different ministery, so I just have one smartcard for test purposes :( So it is hard to be certain if the card itself is to blame, or its content, or the way it is placed on the card. Several years ago I started with some etokens, that worked without any se

[Openvpn-users] problem with pkcs11-ids

Hi all, We have been working with the combination of smartcard and openvpn together successfully for quite some time now. Other organizations wanted to use similar set-up but i run into something peculiar. I got from them a smartcard for testing purposes, and if I do on the commandline: # openv

Re: [Openvpn-users] OpenVPN as a viable commercial replacement

Comment on a single aspect... -Original Message- From: Eric Crist [mailto:ecr...@secure-computing.net] Sent: maandag 24 maart 2014 16:26 To: Jason Frisvold Cc: OpenVPN Users List Subject: Re: [Openvpn-users] OpenVPN as a viable commercial replacement > > I read elsewhere that ther

Re: [Openvpn-users] Diffie Hellman

See below -Original Message- From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] Sent: dinsdag 28 januari 2014 13:01 To: Witvliet, J, DMO/OPS/I&S/HIN; openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] Diffie Hellman On 28/01/14 10:16, j.witvl...@mindef.nl wrote:

[Openvpn-users] Diffie Hellman

Hi all, Once in a while it is handy to review all you've been doing and wonder if what you do it is still wise, or you are just giving yourself a false sense of security. One of the things that kept me awake was the diffie-hellman-parameter. I (like probably a lot of people around here) just us

[Openvpn-users] reverting DNS-forwarding

Hi all, Before delving deeper into it, perhaps someone seen this behavior before What I seem (..) to see, is this: 1) doing a DNS-push towards the client 2) new dns-server gets into /etc/resolv.conf 3) all works OK ;-) 4) stop the vpn 5) the pushed dns-server is

Re: [Openvpn-users] openvpn

Run openvpn on non default port. Some people are doing it simply over port 53 (DNS), but if needed you can use http encapsulation and use port 443 Van: Krishna Murthy [mailto:kmurthy@gmail.com] Verzonden: Sunday, October 06, 2013 11:08 AM W. Europe Standard Time Aan: Openvpn-users@lists.sour

[Openvpn-users] smart stuff

Hi all, Perhaps someone has dealt with this before At fosdem-2012 I was warned, that multiple users/programs could not access smartcards simultaneously. So I was wondering, could I use the credentials on my smartcard for creating parallel/nested tunnels? I mean, does openvpn release the ca