[I just realized I failed to post this to the list and only to Bonno. Sorry
Bonno, you'll get it twice now! :) ]
Probably not the answer you're looking for - but I gave up on EasyRSA a while
ago. [It's unevenly updated, had serious problems, was concerned about the
default key security (in an
rs mailing list
F> Openvpn-users@lists.sourceforge.net
F> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net
http://www.sloop.net
---__
Top posting:
This is exactly right - many ISP's are *NOT* generating/returning the ICMP
"Fragmentation needed" responses - in which case, your reliance on PMTU will
result in a completely failed connection. [For my users, at least, that's the
*MOST UNDESIRABLE* option of any.]
Using a smaller
The short answer is:
If the traffic going "inside" the tunnel is UDP based, it's already built to
handle packet loss.
If the traffic going "inside" the tunnel is TCP based, it's going to be handled
by the TCP connection that's encapsulated by the tunnel. [i.e. The TCP
connection will
Top posting
JJK> The only thing you can do, is to run something like Traffic Control (tc)
JJK> on the link to prioritize low latency traffic compared to bulk
JJK> downloads. If I throttle my iperf session to use 80% of the maximum link
JJK> speed then the ping times remain much lower. When the
Hi,
On 29/08/17 22:06, Gregory Sloop wrote:
Re: [Openvpn-users] Server vs Client cert generation So a few observations and
possible clues/issues:
I should probably do another test, though I'm worn out from all the hassle of
the last go-round. [But I think I kept all the "test" ce
So a few observations and possible clues/issues:
I should probably do another test, though I'm worn out from all the hassle of
the last go-round. [But I think I kept all the "test" certs I used, so testing
should be easier...]
But I think your cert shows:
X509v3 extensions:
SK> On 09-08-17 19:34, Gregory Sloop wrote:
>> I also often need to generate certs for other things and GNU TLS's
>> CertTool works pretty well.
>> I'd like to use one tool to generate all the certificates I generally
>> need - it's just easier to keep track of, document
So, IMO, EasyRSA is pretty broken.
[I'll skip the discussion about why. Go try to run it on Windows and see how
that works, then then we can talk. Also, key encryption defaults.]
I also often need to generate certs for other things and GNU TLS's CertTool
works pretty well.
I'd like to use one
A working Quantum computer with sufficient capacity will obsolete EC, RSA etc.
It will all be game-over.
End of story. [At least mostly.]
But by the time a quantum computer with the sufficient qbits becomes available,
we'll likely understand [a lot] better the ramifications of such a machine and
GD> Hi,
GD> On Wed, Feb 24, 2016 at 01:32:40PM -0800, Gregory Sloop wrote:
>> The error I keep getting in the logs, follows. [Repeats endlessly.]
>> ---
>> Wed Feb 24 13:13:53 2016 TCP: connect to [AF_INET]xx.xx.xx.151:1194 failed,
>> will try again in 5 sec
On Wed, Feb 24, 2016 at 6:48 PM, Gregory Sloop <gr...@sloop.net> wrote:
I'll poke at some other stuff, but this is a _really_ odd situation. Glad for
any pointers anyone might have.
Easy to check the connectivity as this is tcp: Try
telnet serverA 1194
You may have to enable/install
On Wed, Feb 24, 2016 at 4:32 PM, Gregory Sloop <gr...@sloop.net> wrote:
New Windows install on a new machine.
New OVPN install too, obviously.
I'm using old config files, but I don't think the config file is part of the
problem.
The error I keep getting in the logs, follows. [R
New Windows install on a new machine.
New OVPN install too, obviously.
I'm using old config files, but I don't think the config file is part of the
problem.
The error I keep getting in the logs, follows. [Repeats endlessly.]
---
Wed Feb 24 13:13:53 2016 TCP: connect to
This is on Windows 7. Before I used the 'easy-rsa' script for RSA keys. Now I
would like to know how to generate CA, server, client, etc. using ECDSA keys?
Thanks!
[Sorry, forgot to post to the list...]
The GIT version of EasyRSA will do EC keys/certs. [You can just download it and
use it
[Top posting, to follow convention]
The new EasyRSA 3.x code/tool doesn't appear to have the problem you're
talking about. [I've recently tested with it, and revoking certs works fine -
at least with the options I'm using - there are obviously other code paths, and
perhaps they would produce
16 matches
Mail list logo