erally not done for v6.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...
t* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
D
s totally impossible to give a
meaningful reply to this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655
WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signat
is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
si
hed), or have to move to a new server with
a different "--cipher" in the config.
Apologies for the inconvenience... this is why we have cipher negotiation
and AEAD in 2.4...
gert
--
USENET is *not* the non-clickable part of WWW!
everything on linux...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
(on BSDs, one would do "ifconfig tun4 create", but Linux' ifconfig cannot
do that)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@green
Hi,
please do not send HTML mails...
On Thu, Dec 08, 2016 at 07:07:50PM +1100, Chris Anderson wrote:
> Hi I have a problem with openvpn running from
> systemd (not using the suplied systemd unit files) consuming 100% cpu on
> single thread when running from systemd. When I run this from a root
part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: P
nt that can do this sort of redirect.
But as said earlier, the benefits of using gzip'ed config files is minimal,
given that the files are so small anyway.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Ge
around a
container format like .tar or .zip either.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35
Hi,
On Sat, Dec 17, 2016 at 01:23:53PM +0100, David Sommerseth wrote:
> On 17/12/16 11:13, Gert Doering wrote:
> > (Main reason we can't stick to BF-CBC is that we use OTP passwords and
> > with "reneg-bytes 64M" it's asking way too often for user+password...)
>
>
Not saying that this is the way it has to be done, but it's a nice way
to transact a large user base without a flag day.
(Main reason we can't stick to BF-CBC is that we use OTP passwords and
with "reneg-bytes 64M" it's asking way too often for user+password...)
gert
--
USENET is *n
of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP sig
rver side does this, and you'll see renegotiations
in the log file.
Of course, upgrading to 2.4 and using AES would be much nicer :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich
ot* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
-choice? :-))
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net
in your openvpn config)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net
rt of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP
tive service, and running OpenVPN from the
GUI? If not, you should :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP sig
erver,
> tun address should be 192.168.31.6, gui says so,
>
> but real address on tun is 10.1.10.6.
Log file?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
n-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Descriptio
Hi,
On Thu, Dec 22, 2016 at 11:26:14AM -0500, Selva Nair wrote:
> On Sat, Dec 17, 2016 at 5:13 AM, Gert Doering <g...@greenie.muc.de> wrote:
>
> > (Main reason we can't stick to BF-CBC is that we use OTP passwords and
> > with "reneg-bytes 64M" it's aski
he data channel and see if something useful comes back.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
-off-by: Gert Doering <g...@greenie.muc.de>
---
src/openvpn/syshead.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index a1b6047..f445864 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -589,9 +589,7 @@ socket_defined
not need TCP *and* UDP, unless you run two server processes, one
for TCP and one for UDP.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@gree
*not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
sign
o far" out, so 2.3 users can
slowly migrate to AEAD.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
ickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Descrip
s what happened here.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu
Hi,
On Mon, Apr 24, 2017 at 01:36:02PM -0400, Selva Nair wrote:
> On Mon, Apr 24, 2017 at 1:12 PM, Gert Doering <g...@greenie.muc.de> wrote:
>
> > ... except that it really shouldn't do this, if you running the GUI without
> > Admin privileges... which you *are* doin
t you?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.inform
"do not just hijack existing threats" first.
gert
PS: yeah, someone will come and yell at me that I'm so mean. Go for it.
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Descriptio
x.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.a
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu
(unless you put it there).
(As a side note: please upgrade to 2.4.3)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fa
e
- do not use --ncp-disable and varying --cipher settings unless there is
a very specific situation that you need this for
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
t
help (because that will ensure the server knows "client went away") - but
otherwise, this is turning into a "if I do this, it hurts" - "then don't
do this" thread.
gert
--
USENET is *not* the non-clickable part of WWW!
a copy and truncate trick.
>
> Is there a "proper" way now to use the Linux logrotate feature without the
> copytruncate option?
--syslog?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de
ds to be correct before a connection
can be established at all. So, not pushable.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@green
You can make them listen to the tun IP on the server, and restrict
client access to "openvpn client IPs" - that should work.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doerin
ted packets going to your VPN server (and traffic
local to the LAN network).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89
the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.a
-
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muench
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature
on-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
not answer *why* it thinks it wants to send a packet.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-356550
l packet (maybe it *is* a --ping packet after all).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
ess to the internal of X509_OBJECT
OpenSSL: don't use direct access to the internal of RSA_METHOD
OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
Eric Thorpe (1):
Fix Building Using MSVC
Gert Doe
/lists/listinfo/openvpn-users
... this is what is appended to every single mail, so you can click on
it and remove yourself.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering -
your VPN, and bored kids can find
out which networks you use internally in the VPN and can send packets
there, upgrade.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
rather hard to use openvpn.
It's always nice to hear kind words from users :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
f
g "auth-retry nointeract" might be what you need on the client side
to work karound this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
d --topology subnet
> nowadays.
net30 exists because ptp didn't work on windows and nobody had one
subnet yet :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signatu
tion" to be "initiated",
as everything is static anyway. So it's not fully clear to me what it
is doing there.
(But I've never used static key mode in earnest, so I'll learn something
new here :) )
gert
--
USENET is *not* the non-clickable part of WWW!
rt
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-mu
ween
openvpn and the "tun0 thing" in the kernel, and iptables/routing are
really on the "app side" of the tun0).
Language can be confusing.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~ger
Worth a test.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.info
on program end" :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@n
t router's LAN and WAN interface)
when you do the traceroutes, and see where the packets show up
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@gre
like "firewall" to me.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
n.
Have you been following the check list in my "it's always routing" mail?
If yes, what's the outcome?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
cond set of firewall rules,
but those are "OpenVPN pf rules", not related (and not visible to)
host side iptables.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
-
it back *after
firewall inspection*.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
o have Strech-compatible .deb for future
relases which are not going to be available out of the box right away)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, G
le forwarding (because "traditionally",
routers do not listen to router advertisements)
/proc/sys/net/ipv6/conf/default/accept_ra
/proc/sys/net/ipv6/conf/enp0s25/accept_ra
gert
--
USENET is *not* the non-clickable part of WWW!
Hi,
On Fri, Jun 09, 2017 at 08:09:13PM +0200, richard lucassen wrote:
> On Fri, 9 Jun 2017 08:22:11 +0200
> Gert Doering <g...@greenie.muc.de> wrote:
>
> > > Setting verb to 8 makes a lot of noise :) That's why I just looked
> > > with tcpdump.
> >
>
One possible workaround might be to use pf(4) on the server to setup a
v6/v4 rdr NAT rule and have the firewall provide the "dual-stacking", but
I'm not sure it actually works - never tried.
But let's see the server logs first.
gert
--
USENET is *not* the non-clickable part of WWW!
pher patch - this is definitely
useful. Interaction with NCP needs a bit more thought, it seems.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signat
rt of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP
ut running "ldd openvpn" on your openvpn binary - if
liblz4. shows up, it needs the dynamic library. Everything
that does *not* show up is built-in (or not a direct dependency).
gert
--
USENET is *not* the non-clickable part of WWW!
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
stop the kernel from doing its own stuff, which it mostly "buffering"
for "packets inside a TCP stream").
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, German
@ mailing lists, as
not all OpenVPN developers interested in "network" are subscribed to
-users
gert
--
now what should I write here...
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
eave the specifics of that to you :-)
(I'm sure Arne will have some ideas as well)
gert
--
now what should I write here...
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
---
e in your logs that the remote "went away",
but protocol-wise, it does not go away either - there is no connection
setup / teardown in p2p-static-key mode. Just "packets that can be
decrypted" and "remote IP address to send to-be-encrypted packets to&qu
.x.y 1194
>
> that is the IPv4 address. Was wondering if there is an option (like that
> in SSH) to explicitly provide for an address family:
Just use "protocol udp4" to force IPv4-only (or "tcp4").
gert
--
now what should I write here...
Gert Doering - Munich, Ger
s hard, sorry.
gert
--
now what should I write here...
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
--
Check out the vibrant tech community on o
lude the --pull-filter.
>
> Would running openvpn-GUI on the modified config negate the pushed echo?
Of course it would. If you filter push messages, they do not arrive.
As for any other pushed option.
gert
--
now what should I write here...
Gert Doering - Munich, Germany
ary
which does whatever he wants)
gert
--
now what should I write here...
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
--
Check out the vibrant te
t;);
push @outline, 'push "compress lz4"', 'compress lz4';
(the server can speak different compression algorithms at a time, but
for reasons lost in the mists of time it needs to be told what to expect
- even though the compression byte is actually telling it)
gert
--
now what sh
routers / carrier-grade NAT boxes", etc.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025
m achievable
limit will make sure the queues are never filling up.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.d
"large buffers
with smart queueing" vs. "shallow buffers, drop early, leave this to
the upper layer protocol to sort out")
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich,
not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signat
rch on over the last 20 years.
But that's quite a bit of work...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-3565
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert
eral, you should be fine.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein,
myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signatu
If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert
Hi,
On Fri, Jun 08, 2018 at 11:27:42AM +0200, Gert Doering wrote:
> So "TCP over naked IP" is exactly what you want to compare to "TCP over
> OpenVPN over UDP/IP" - so "iperf3 tcp" is a valid test for "how does
> the performance vary if OpenVPN/UDP i
301 - 400 of 863 matches
Mail list logo