On Wed, Feb 28, 2024 at 12:52:17PM +, Peter Davis via Openvpn-users wrote:
> # #!/bin/bash
> # export script_type="client-connect"
> # export common_name="CommonName"
> # export trusted_ip="192.168.129.253"
> # ./server-events.sh
I did not follow the whole discussion, but why on earth are you
Hello,
First: I don't have any problem with OpenVPN and MTU, this is out of curiosity.
This is a simplified network map:
185.250.56.2 OpenVPN --- A.B.C.D (PPPoE) OpenVPN -- 193.72.186.160
(BGP router for 193.72.186.0/24)
Look: (reliant is somewhere else on the internet, X.Y.88.46)
Hello,
On Thu, Feb 08, 2024 at 11:59:16AM +0100, Gert Doering wrote:
> On Thu, Feb 08, 2024 at 10:36:31AM +, Peter Davis via Openvpn-users wrote:
> > Is there a way to hide the number of connections to a server? Can an
> > intermediate server do this? Instead of connecting directly to the
On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote:
> I tried the service restart and it worked inasfar as the logs now look like
> this
> example:
>
> Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set()
Do you mean rsyslog logs?
Again, systemd changes everything: you
Hello,
On Mon, Feb 05, 2024 at 12:06:13AM +0100, Bo Berglund wrote:
> restart the specific services or do I have to restart the server computer
> itself?
I am no systemd specialist, however, most of the times you change a systemd
config file you should do:
systemctl daemon-reload
Hello,
On Sat, Jan 27, 2024 at 01:06:15PM +0100, Jochen Bern wrote:
> (Note that, back when I had to try to get rid of the parameterless
> "--daemon" in the unit file, I found that the unit file would get
> overwritten with every update - unlike "normal" config files, where a new
> packaged
Hello,
On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote:
> I am testing this scenario in a virtual environment before moving it to the
> real world.
So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16), or possibly
some other reserved addresses
Hello,
On Wed, Jan 24, 2024 at 06:14:22AM +, Peter Davis via Openvpn-users wrote:
> 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0".
> What is the difference between IP range 10.X and 20.X?
10.0.0.0/8 is a private range, that you can use as you please for private
Hello,
On Wed, Jan 17, 2024 at 09:57:41PM +0100, Bo Berglund wrote:
> Is there some way when that RPi has connected to my OpenVPN server to reach it
> "backwards" via the connected tunnel? I mean to establish a command line SSH
> interface through the tunnel or similar.
Well, it has a
On Wed, Nov 22, 2023 at 03:03:45PM +0100, Marc SCHAEFER wrote:
> that particular config, for example, if your file is /etc/openvpn/toto.conf
I meant /etc/openvpn/client/toto.conf
> systemctl status openvpn-client@toto.service
___
Openvpn
Hello,
On Wed, Nov 22, 2023 at 02:44:57PM +0100, Bo Berglund wrote:
> Is it enough to put the OVPN file (renamed to extension conf) into the
> /etc/openvpn/client dir?
I think it is not enough with recent Debian releases using systemd.
AFAIK raspi is somewhat Debian.
Here you need to test the
> used to allow the OpenVPN process to keep setup certain capabilities as it
> transitions to the user provided via the --user option. The CAP_NET_ADMIN
> is, not surprisingly, used to setup the virtual network adapter (both tun
> and ovpn-dco) and get network routes set up properly.
And, if you
On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote:
> Having port 22 open on the internet is asking for bots & script kiddies to
> try and break in, but usually fail2ban takes care of it quite nicely.
Yes, and I you can report to abuseipdb.com -- that's why my main server has
port
On Wed, Feb 15, 2023 at 05:19:07PM +0100, Gert Doering wrote:
> SPF itself is not the problem (that only checks envelope-from, which
> the list does change), but DMARC with p=reject is.
Correct!
> Not sure if the list actually can do the "do the From: rewrite for
> DMARC p=reject enabled
On Wed, Feb 15, 2023 at 04:43:07PM +0100, Gert Doering wrote:
> On Wed, Feb 15, 2023 at 04:06:44PM +0100, Marc SCHAEFER wrote:
> > I run OpenSSH with UDP and on a random port, it's is presumably much
> > more difficult to find on scanners.
>
> I guess this was inte
On Wed, Feb 15, 2023 at 02:12:58PM +0100, Stefanie Leisestreichler wrote:
> Which leads to the question: Do you focus with same caution to an exposed
> openvpn service or is this more specific for those sshd?
No.
I run OpenSSH with UDP and on a random port, it's is presumably much
more difficult
On Tue, Mar 08, 2022 at 10:02:19PM +0100, Bo Berglund wrote:
> It says that I have held broken packages but I have no idea on what that even
> means or how one can "hold" something in a computer
A held package is a package that is marked as DO NOT TOUCH (no upgrade).
To list held packages,
Hello,
On Sat, Feb 12, 2022 at 06:22:41PM +0100, Bo Berglund wrote:
> So this is about 10 Mbit/s speed...
> I had really hoped for something better than 1/25th of the connection speed.
> Is this normal or is there some way to improve the speed?
Depending on the hardware, I can measure upto 7-8
On Wed, May 26, 2021 at 10:23:03AM -0300, Leonardo Rodrigues wrote:
> Are there some good Web based PKI interfaces that can be used to
> generate certificates and also provide ready (based on templates) OpenVPN
> config files?
My VPN provider SNN (swissneutral.net) uses a ISP open source
On Thu, Mar 18, 2021 at 10:13:35AM +0100, Steffan Karger wrote:
> If you see these a lot, it might be worth checking the network between
> client and server to see why this packet reordering happens.
Typically, I saw those (but not as many as reported by that user) when my CATV
connection was
On Thu, Mar 11, 2021 at 05:06:49PM +, tincanteksup wrote:
> Yes, i'm using http server on vpn server and wget on vpn client.
Ok, so, on-the-fly TCP MSS clamping will also work in this scenario, which is a
quite rare scenario anyway.
___
On Thu, Mar 11, 2021 at 03:25:25PM +, tincanteksup wrote:
> I was expecting that openvpn configure MSS at the IP level so
> that only the kernel manages that side of the packet creation.
What would happen if the OpenVPN client is actually a router that forward
trafic from a network ? In that
On Tue, Mar 09, 2021 at 04:48:43PM +0100, Gert Doering wrote:
> No. The code in question is not OS dependent (forward.c, mss.c, no
> #ifdef _WIN32 anywhere close to "mss").
Some background:
Actually, OpenVPN acts here as a firewall with inspection and mangling, as far
as I understand, modifying
On Thu, Feb 25, 2021 at 09:17:11AM +0100, Jan Just Keijser wrote:
> send raw packets. On linux this is possible, not sure about Windows, but
> it's definitely a no-no on Android or iOS.
If DDoS or cracking attempt is a problem with your setup, and port-knocking is
not applicable, why not add a
On Wed, Feb 24, 2021 at 10:49:56PM +, tincanteksup wrote:
> My idea (as daft as it is) would only serve one purpose: To hide a
> listening TCP port. Because there would be no SYN-ACK from the server if
> the SYN failed security checks.
This is what port knocking does: unfirewall the
On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote:
> which suggested to me that openvpn may have some vulnerability to TCP DDos.
A Linux kernel can offer a few protections against DDoS, for example
SYN cookies to avoid a memory exhaustion with fake TCP connection
openings. You may have
On Wed, Feb 24, 2021 at 06:01:19PM +, tincanteksup wrote:
> today I discovered that a server using TCP responds to an initial Syn packet
> with an ack packet,
This is standard TCP protocol (SYN, SYN ACK, ACK). It is executed in the
kernel. Only after the client ACK is received by the server
Hello,
I now think my VPN is running reliably: a ping every 5 minutes over the
last 15 hours has shown 100% success.
The bug was in the UPC router firmware, blocking from time to time trafic on
port 4998/UDP where I run my multi-site VPN. The funny thing is that the bug
showed itself not only
On Sat, Jul 25, 2020 at 10:40:47AM +0200, Gert Doering wrote:
> Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings
> that are non-default.
Definitely, there was a server-side client script pushing that, it is
commented now.
Still testing to see if the problem reproduces
On Fri, Jul 24, 2020 at 11:20:32PM +0100, tincanteksup wrote:
> not sure how you have your configs setup (maybe post further details) but ..
> Using --verb 4 may help with extra log details.
Thank you,
will collect more information.
It now suspiciously looks like a firewall issue.
Hello,
I have an OpenVPN server on a fixed IP address, using the CA mode.
I have 3 clients, two on dynamic IP and behind CGNAT, and one on
fixed IP.
I observe frequent downtimes, that's why I have investigated a bit.
They heal by themselves, but sometimes they last more than 10 minutes,
which
On Fri, Jul 03, 2020 at 01:20:09AM +0100, tincanteksup wrote:
> DNSSec would put an end to this sort of snooping .. lol
As Gert said, no, it won't.
What you may want is DNS over HTTPS or over TLS. However, in that case, it's
the DNS provider that can snoop on you, but no longer your ISP. If your
On Wed, Apr 29, 2020 at 09:37:06AM +0200, Gert Doering wrote:
> > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :))
>
> Of course :-)
>
> (it always had, in TLS mode. Not in p2p --secret mode, but that is
> deprecated - no PFS is one of the reasons)
Nice!
Thanks Gert.
On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users
wrote:
> Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used
> to encrypt and transmit a symmetric key which is then used for all future
> communication?
HTTPS also has PFS[1] now, does OpenVPN
On Tue, Apr 28, 2020 at 10:45:03PM +, Leroy Tennison via Openvpn-users
wrote:
> udp packets from a source making it to a destination) without actually trying
> to make a connection
You can try netcat, with the -u option.
Now, if you have a real powerful firewall it may see this is not
Hello,
Thank you for your reply:
On Mon, May 20, 2019 at 07:46:11PM +0200, Jan Just Keijser wrote:
> you'd have to disable 'client-to-client' , enable IP forwarding on your
> server and set up the appropriate routing and iptables rules. Packets should
> essentially "leave" openvpn and be handed
Hello,
I run a layer 2 (bridging) large OpenVPN network linking ethernet
interfaces, wifi interfaces, software bridges, tap interfaces, etc.
The idea behind the layer 2 virtual network was for maximum flexibility:
it is an educational network where people must collaboratively manage it
37 matches
Mail list logo
