I recently deployed an OpenVPN server (Linux) for a company that has primarily
Windows 10 computers for client machines, on a Windows Domain Controller
environment, where the end users don’t have Local Admin or Domain Admin rights,
as policy.
Having the OpenVPN GUI require admin privileges
On Thu, 15 Dec 2016 13:02:38 -0500, Selva Nair wrote:
> Opening /dev/fd/xx should work as we just use fopen(). I think the
> trouble is because of redirection with the sudo.
>
> Try this instead:
>
> sudo bash -c "openvpn <( bzcat vpngate_1.0.126.222_tcp_995.ovpn_JP.bz2
> )"
Correct, it does th
On 15/12/16 21:35, Dreetjeh D wrote:
> Hi,
>
> So in (2), parts of the one ta.key are used.
>
> I had a hunch when looking at the log`s stating:
>
> >TLS: Initial packet from [AF_INET]:1194, sid=
> <
>
> Where the X`s represent the subkey`s?
>
> Thinking loud,
Looking for help troubleshooting a new openvpn setup using elliptical curve
openssl generated certificates.
Same client config works on 2.4rc1 client, but I cant get it working on iOS
connect app.
I have tried commented out tis-cipher, tls-version-min and cipher on both
client and server co
On 15.12.2016 20.45, David Sommerseth wrote:
> If you have a shabby random number generator and no entropy gathering
> configured,
> those keys can be fairly poor. This goes in particular for embedded devices,
> but also in
> some cases also includes virtual machines (depends on if the hypervisor
Hi,
On 15 December 2016 at 21:35, Dreetjeh D wrote:
> So in (2), parts of the one ta.key are used.
>
> I had a hunch when looking at the log`s stating:
>
> >TLS: Initial packet from [AF_INET]:1194, sid=
> <
>
> Where the X`s represent the subkey`s?
No, that's jus
Hi,
On 15 December 2016 at 19:11, David Sommerseth
wrote:
> On 15/12/16 16:35, Sebastian Rubenstein wrote:
>> Could you explain in greater detail your statement "use AES-256-GCM
>> for more efficiency on the data channel"?
>
> I'll leave this to Steffan (or JJK).
AES-GCM has a shorter authentica
Hi,
So in (2), parts of the one ta.key are used.
I had a hunch when looking at the log`s stating:
>TLS: Initial packet from [AF_INET]:1194, sid=
<
Where the X`s represent the subkey`s?
Thinking loud, the opposite side uses two different subkey`s, then four
su
On 15/12/16 20:55, Dreetjeh D wrote:
>
> Sorry, i forgot cc
>
> Hi,
>
> I have a question about this:
>
> Op 14-12-2016 om 21:06 schreef Steffan Karger:
>>
>> You're using TLS-auth to protect against mitm attacks on your TLS
>> connection, which is very good. *key-directing 1 means you are usi
Sorry, i forgot cc
Hi,
I have a question about this:
Op 14-12-2016 om 21:06 schreef Steffan Karger:
You're using TLS-auth to protect against mitm attacks on your TLS
connection, which is very good. key-directing 1 means you are using
different keys for client-server and server-client traffi
On 15/12/16 20:05, Magnus Kroken wrote:
> Hi Kevin
>
> On 14.12.2016 07.54, Kevin Long wrote:
>> Assuming an adversary has full access to intercept your network traffic,
>> and virtually limitless computing power, What would you do to make the
>> best OpenVPN setup?
> --snip--
>> 1. Use easy-rsa3
Hi Kevin
On 14.12.2016 07.54, Kevin Long wrote:
> Assuming an adversary has full access to intercept your network traffic,
> and virtually limitless computing power, What would you do to make the
> best OpenVPN setup?
--snip--
> 1. Use easy-rsa3 or equivalent openssl commands to generate your
> ke
On 15/12/16 16:35, Sebastian Rubenstein wrote:
> Hi Steffan
>
> Thanks for taking the time to explain to me the salient features of
> a good encryption/decryption VPN.
>
>>> tls-client
>>
>> This means you're using TLS for forward secrecy, and are refreshing you
>> data channel keys (at least) ho
On Thu, Dec 15, 2016 at 9:24 AM, Gert Doering wrote:
> > Still, the process-substitution-based version will failed as follows:
> >
> > $ sudo openvpn <( bzcat vpngate_1.0.126.222_tcp_995.ovpn_JP.bz2 )
> > Options error: In [CMD-LINE]:1: Error opening configuration file: /dev/
> > fd/63
> > Use --
On 15/12/16 16:08, Sebastian Rubenstein wrote:
> Hi Jan,
>
> Thanks for your tip.
>
>> You can check the cipher strength of the CA certificate by
>> writing the CA blob
>>
>>
>> -BEGIN CERTIFICATE-
>>
>> Large chunks of alphanumeric text
>>
>> -END CERTIFICATE-
>>
>>
>> to a fi
Hi,
There are many criteria to judge if a VPN provider is good, reliable,
trustworthy, etc.. and in this thread I am focusing on just the technical
criteria. And thanks to Steffan for helping me to understand better what they
are to be considered.
In addition to the ones listed below, what oth
Hi Steffan
Thanks for taking the time to explain to me the salient features of a good
encryption/decryption VPN.
> > tls-client
>
> This means you're using TLS for forward secrecy, and are refreshing you
> data channel keys (at least) hourly. That's good.
Is "forward secrecy" the same as "Per
Hi Jan,
Thanks for your tip.
> You can check the cipher strength of the CA certificate by
> writing the CA blob
>
>
> -BEGIN CERTIFICATE-
>
> Large chunks of alphanumeric text
>
> -END CERTIFICATE-
>
>
> to a file and then run
>openssl x509 -text -noout -in cert.pem | g
Hi,
On Thu, Dec 15, 2016 at 01:12:59PM +, Hongyi Zhao wrote:
> On Thu, 15 Dec 2016 10:52:05 +0100, Gert Doering wrote:
>
> > A *tar* file is a container, that contains files plus header
> > information.
>
> I also tried the bz2 format just for testing, see the following commands:
>
> $ diff
Hi,
I fully agree with Steffan. An extra check you can throw in is to check
the client and server side certificates, as well as the CA certificate.
The server certificate may be signed using RSA4096 but if other
certificates in the chain are weaker then this offers little
protection. You can
Em 15/12/16 11:12, Hongyi Zhao escreveu:
> On Thu, 15 Dec 2016 10:52:05 +0100, Gert Doering wrote:
>
>> A *tar* file is a container, that contains files plus header
>> information.
> I also tried the bz2 format just for testing, see the following commands:
>
> $ diff vpngate_1.0.126.222_tcp_995.ov
On Thu, 15 Dec 2016 10:52:05 +0100, Gert Doering wrote:
> A *tar* file is a container, that contains files plus header
> information.
I also tried the bz2 format just for testing, see the following commands:
$ diff vpngate_1.0.126.222_tcp_995.ovpn_JP <( bzcat
vpngate_1.0.126.222_tcp_995.ovpn_JP
Hi,
On Thu, Dec 15, 2016 at 07:57:36AM +, Hongyi Zhao wrote:
> > On Wed, Dec 14, 2016 at 03:11:00PM +, John Lauro wrote:
> >> Never tried it with openvpn, but the following should work:
> >> ``--config <(gunzip >
> > Not with a tar file, no.
>
> What do you mean?
A *tar* file is a co
On Thu, 15 Dec 2016 08:22:37 +0100, Gert Doering wrote:
> Hi,
>
> On Wed, Dec 14, 2016 at 03:11:00PM +, John Lauro wrote:
>> Never tried it with openvpn, but the following should work:
>> ``--config <(gunzip
> Not with a tar file, no.
What do you mean?
Regards
>
> gert
--
.: Hong
24 matches
Mail list logo