[Openvpn-users] a good Web PKI interface for Linux and OpenVPN
Hi Guys, While I basically generate certificates/config packages (a zip file with all needed files) by hand, I was looking to have that a little more web-based and not that much CLI based. Are there some good Web based PKI interfaces that can be used to generate certificates and also provide ready (based on templates) OpenVPN config files? Would love to get some recommendation on that! Thanks! -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVpn and re-authenticate
Em 09/11/2020 06:32, Olivier CALVANO escreveu: Hello, I have a problem on a recent OpenVPN installation, the server asks clients to re-authenticate every hour, whether there is activity on the tunnel or not. How can I fix this problem? is this causing any problem ? Because it should not. Renegotiation should just happen on the background and, despite on the logs, shouldn't be noticed at all by the tunnel traffic. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN versus IPSec
Em 07/10/2020 19:58, Leroy Tennison via Openvpn-users escreveu: We use OpenVPN but are getting requests from customers for IPSec. In doing research I came across a reference stating the OpenVPN development team has "subscribed to" some standard for secure development but, of course, now I can't find it. Does anyone have a reference to what I'm talking about? I'm painfully aware that IPSec is more complex, difficult to set up and less robust in recovering from failed connections than OpenVPN but am looking for additional justification. Anything that anyone has to offer (third-party commercial products such as firewall vendors using OpenVPN, reviews/analysis of OpenVPN, "security expert" recommendations, etc) would be appreciated. Thanks for your help. While not exactly using OpenVPN (which implements a SSL VPN protocol using the industry standards SSL/TLS protocols), even the big ones (Fortinet, Cisco, etc) are giving up IPSec instead of their own implementation of SSL-VPNs, given the ease of dealing with NAT and firewalls. It seems to me that going for IPSec, at this point in time, would actually be going back. While defined as a standard, all vendors implements IPSec with its own extensions and specially for client-to-site connections (called roadwarrions in IPSec terms), you'll need to install that firewall vendor IPSec client anyway, forget about the "standard protocol which can be configured anywhere", that never existed. You'll depend on the VPN client from that vendor, despite using a so-called "standard" VPN protocol. In reality, that almost never happened. For site-to-site VPNS, there I have to agree, you can basically stablish IPSec VPNs from anything to anything who supports IPSec. But for the client-to-site, it never existed such a thing as "standard IPSec implementation". -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Is OpenVPN based on SSL VPN?
Em 15/08/2020 11:03, Turritopsis Dohrnii Teo En Ming escreveu: Is OpenVPN based on SSL VPN? I am looking forward to hearing from you soon. Thank you very much. Yes, it is. https://community.openvpn.net/openvpn/wiki/OverviewOfOpenvpn "OpenVPN is a full-featured open source SSL VPN solution ..." -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] deferred client-connect - https://patchwork.openvpn.net/patch/607/
The exact patch posted seems to be only documentation and comments, it doesn't affect any real code at all. If it's not applied to the sources, it will make no difference whatsoever anyway (on the OpenVPN workings). Em 15/05/2020 16:16, Shreyas Heranjal escreveu: Hi, I want to use client-connect plugin to assign IP addresses to the clients, and I want to do it asynchronously through my IPAM service. I was going through the openvpn-devel forum and found this patch. https://patchwork.openvpn.net/patch/607/ Is this patch safe to use? Any reason why this was not included in the latest version of Openvpn? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] can I use a client key set in multiple devices?
Why not generate new keys ??? You don't have access to the server ? In that case, maybe it won't work. OpenVPN *can* handle that situation with the correct configuration on the server side. But as it seems you can't generate new keys, i'll assume you don't have access to the server. Anyway, the correct server clausule would be: *--duplicate-cn* Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. Em 30/06/18 22:18, James Peng via Openvpn-users escreveu: Hello there, I have a working OpenVPN client and server. Now my family members are also need this vpn connection. I only have 3 client key sets. Can I use one client key set in multiple devices? If yes, can they connect to the server at the same time? The server will not be confused? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Clients can't connect after server reboot
You very likely created your certificated with MD5 hashing, which was disabled on newer OpenSSL versions of CentOS. Try: export NSS_HASH_ALG_SUPPORT=+MD5 export OPENSSL_ENABLE_MD5_VERIFY=1 before starting your OpenVPN daemon and watch if that make clients connect again ... Em 08/08/17 14:59, Mio Vlahović escreveu: Hi all, We have a problem with the clients after the server reboot. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Managing the server's IP pool
and keep in mind that even 'ifconfig-pool-persist' do not GUARANTEE the same client will always get the same IP address. From manual page: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use *--ifconfig-push* Em 28/06/17 10:25, Joe Patterson escreveu: I don't think you can with that config, but there are things that you could do to change it so you can. If you add a "status" line, you'll get a status file listing connected systems and their IP's. If you add a "management" line, you can telnet in and run the "status" command, and get a list of connected systems and their IP's. If you add an 'ifconfig-pool-persist" line, you will get a file with user-to-IP mappings, though there will be no indication of which are currently connected. *without* the ifconfig-pool-persist, then there isn't really a concept of a "lease", IP addresses go back into the pool as soon as the client disconnects (at least I'm fairly sure of that). But with the management interface, you can both see connected clients and their IP addresses, and, if you wish, kill their connection. And, of course, you can combine all three and have access to tons of info in multiple ways. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can openvpn use compressed config file directly, say ``--config file.tar.gz''?
Em 15/12/16 11:12, Hongyi Zhao escreveu: > On Thu, 15 Dec 2016 10:52:05 +0100, Gert Doering wrote: > >> A *tar* file is a container, that contains files plus header >> information. > I also tried the bz2 format just for testing, see the following commands: > > $ diff vpngate_1.0.126.222_tcp_995.ovpn_JP <( bzcat > vpngate_1.0.126.222_tcp_995.ovpn_JP.bz2 ) > $ > I'm really curious to know your reasons for using a compressed config file, knowing that that will not save you space at all, as even the bigger files, with all certs inline, will hardly get bigger than 15-20k. You may save 1 or 2 storage inodes, depending on the filesystem type, but that shouldn't do any real difference at all !!! Anyway, in your case, i would write an init script that decompresses the config file to the RAM disk /dev/shm and call OpenVPN from the decompressed file. Being stored on RAM, one single 15-20k file will make no difference at all on your system. I never did that, but maybe you can even erase the file after calling OpenVPN on it. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Questions / help on setting up Openvpn
Em 25/10/16 18:47, Steve Frazier escreveu: > Is this list for asking questions for newbies setting up OpenVPN or > for something else? > > There's no limitation on newbies or expert only questions. However, question like 'please send me a tutorial' usually do not get answers. Questions like 'i have did this' and it didn't work, error message is ''. Then i tried changing XXX parameter, but still got problems, log is 'Y' will usually make you have great answers. In summary, check your logs, check the mailing list archive, check documentation which people already spent their time writing. If you can't get it working, please descibre clearly what you have done and what is the error. You'll probably get help. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Current fastest cipher / auth
On 29/01/15 00:47, fooey wrote: > I have a server dedicated to vpn users in the office and so far Im > still using blowfish and sha256. I haven't had time to benchmark and > update anything after heartbleed. We bought a bunch of raspberry B+ > for a project and will be using them as vpn clients and like to give > them max speeds. We want to have minimal amount of cpu processing > devoted to openvpn so is BF AES 256 so good or should stepping down to > a different hash ? simple and plain OpenSSL benchmark is your friend !!! openssl speed note that the fastest to your server may not be the fastest to your clients. At the server you probably wont have power processing problems, situation which may be true on the client end. Just test openssl speed in both ends and make the best choose. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN log to mysql database
On 18/08/14 06:03, Dmitry Korzhevin wrote: > Hi, > > I use 'log-append' directive in server side config file, to write all > log data to specified file. > > My question - is there any way to log all connection info to mysql > database? > Not directly, as OpenVPN does not have MySQL support of any kind. However, using client-connect and client-disconnect, you could easily call your scripts that save the avaialble data however you want, MySQL included. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN and Multi-Core processor
On 05/08/14 04:43, Gert Doering wrote: > Hi, > > On Mon, Aug 04, 2014 at 11:24:28PM +0200, Mathias Jeschke wrote: >> You should think about starting a crowdfunding campaign ;) > This is an interesting idea. > > It's not going to happen "soonish" (next thing is 2.4, which should see > the light of day in the the next few months), but maybe after that. I'll > keep it in mind... > > Despite the fact i dont have any OpenVPN running with that much users and, thus, that wouldnt be much an advantage to me, i would certainly donate some bucks on that !! :) -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Remote and local use of openvpn
Em 07/05/14 11:24, Simon Deziel escreveu: > Indeed and it works well. Here's an example of this: > > remote vpn.example.com # public DNS > remote 192.2.0.1 # internal/lan IP > server-poll-timeout 3# Try a remote for N seconds then try next one > > shame on you using internet-valid IP addresses on your LAN :) -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Remote and local use of openvpn
Em 07/05/14 10:42, Timothy Murphy escreveu: > I'm running an openvpn server on my home CentOS server. > Openvpn works fine on my Fedora/KDE laptop if I am away from home, > but if the laptop is on my local LAN I have to edit client.conf > to give the local name of the server. > > How about having two 'remote' parameters on your .conf ? One pointing to your external address and the other one pointing to the local one that would probably solve your problem, letting OpenVPN try both addresses and connect on the one it's possible. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Costs of Using OpenVPN
Em 15/10/13 01:17, Sumit Dahiya escreveu: We are not planning to redistribute, modify nor make money off of OpenVPN. We just want to USE its abilities. While I understand it is available under GNU GPL v2 but nowhere could I find the price/cost of software. It is a free software (as in freedom to use, distribute etc.) but that does not necessarily mean it costs $0. Can someone please confirm that my company will not be thrown in jail if we use OpenVPN Community Edition (not the Access Server)? PS: I am not a lawyer, and therefore, appreciate plain English. believe it or not, using OpenVPN Community Edition really costs you nothing, $0. You'll surely have other costs like keeping a server connected 24x7, maybe hiring someone or some company to configure OpenVPN for you, etc etc, but that's completly out of OpenVPN's scope. If you already have a 24x7 connected server, that can be used for hosting OpenVPN server and, thus, you wont have costs with that. Maybe you already have someone in your IT team that can do OpenVPN configurations, thus that wont costs you extra money. The software is free, you can simply download it and compile or even download it from your Linux distro's repository already compiled. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Possible to drop port scan packets?
Em 24/09/13 15:35, Les Mikesell escreveu: > You can't very well let the firewall block the port that openvpn is > using although you could block icmp replies about closed ports. But I > thought that when using UDP, openvpn would not respond at all to > packets that are not correctly encrypted. Not sure how it works with > tcp ports, though. > or maybe you can use tls-auth config parameter to add another security layer to your OpenVPN ... if OpenVPN port is open, OpenVPN will reply something on it. Using tls-auth you'll make OpenVPN not try to start TLS session for those who dont have the correct key. take a look on that ... -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Possible to drop port scan packets?
Em 24/09/13 12:16, jack seth escreveu: > Is it possible to have a Openvpn server drop port scanning packets instead of > sending a reply. For example, when running 'shields up' on grc.com the port > that I have openvpn running on is reported as 'closed' instead of 'stealth'. > Is there a way to get openvpn to just not respond? Blocking portscans is a firewall concern, not OpenVPN. If you dont want your daemons to reply to portscan attempts, get your firewall to block them. That's completly OpenVPN unrelated and surely cannot be done on OpenVPN itself. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users