Re: [Openvpn-users] Client history
On Wed, Feb 28, 2024 at 12:52:17PM +, Peter Davis via Openvpn-users wrote: > # #!/bin/bash > # export script_type="client-connect" > # export common_name="CommonName" > # export trusted_ip="192.168.129.253" > # ./server-events.sh I did not follow the whole discussion, but why on earth are you assuming that your current directly is somewhere known? This is what ./ means: run server-events.sh in the current directory. Put your script in /usr/local/OPENVPN/scripts and call it as /usr/local/OPENVPN/scripts/server-events.sh for example. > So, why is the script not working in OpenVPN? If the problem is locating ./server-events.sh it is *possible* that OpenVPN log itself (or syslog, or the systemd journal) has some stderr output. There are other possibly problems, such as access rights (depending on what user the script is run on, possibly root). ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN and MTU
Hello, First: I don't have any problem with OpenVPN and MTU, this is out of curiosity. This is a simplified network map: 185.250.56.2 OpenVPN --- A.B.C.D (PPPoE) OpenVPN -- 193.72.186.160 (BGP router for 193.72.186.0/24) Look: (reliant is somewhere else on the internet, X.Y.88.46) schaefer@reliant:~$ ping -s 1472 -M do 193.72.186.160 PING 193.72.186.160 (193.72.186.160) 1472(1500) bytes of data. 1480 bytes from 193.72.186.160: icmp_seq=1 ttl=53 time=29.4 ms (1472 = 1500 - (IP header (20) + ICMP header (8)) and look: (X.Y. have been masked, because not my network, 193.72.186.0/24 is mine) 12:57:25.004227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 1500) X.Y.88.46 > 193.72.186.160: ICMP echo request, id 57988, seq 4, length 1480 12:57:25.031827 IP (tos 0x0, ttl 53, id 6565, offset 0, flags [none], proto ICMP (1), length 1500) 193.72.186.160 > X.Y.88.46: ICMP echo reply, id 57988, seq 4, length 1480 So, how does OpenVPN (mode tun over UDP) achieve 1500 MTU, especially since in my case it can be transported over a PPPoE link with a lower MTU? (ppp0: flags=4305 mtu 1492) Is it because the router at A.B.C.D fragments the OpenVPN UDP datagrams (I see fragments) and the path to 185.250.56.2 and back has no issues with fragments? Or is it OpenVPN itself which fragments its UDP datagrams used for transport because in any case, the headers OpenVPN adds to the datagram are bigger than the 1500 usual MTU? In that case, for performance, should I tell OpenVPN to MSS clamp TCP at 1492 or even less? Thank you. PS: in the past, there was a bug on 185.250.56.2 (the BGP router above) which would be connected to the Internet via an Ethernet link with a MTU < 1500: and I had a lower usable MTU (which was logical). ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to hide the number of connections to the server?
Hello, On Thu, Feb 08, 2024 at 11:59:16AM +0100, Gert Doering wrote: > On Thu, Feb 08, 2024 at 10:36:31AM +, Peter Davis via Openvpn-users wrote: > > Is there a way to hide the number of connections to a server? Can an > > intermediate server do this? Instead of connecting directly to the final > > server, people connect to an intermediate server and this intermediate > > server sends requests to the final server! > > Not really, unless that intermediate server sets up a tunnel, and puts > all client connection *into* that tunnel. Then an outside observer would > only see "one connection" - but this has the risk of breaking in interesting > ways, and also tunnel-in-tunnel tends to have bad performance. On a side note, not linked to OpenVPN: I had routing problems when doing IPv6 over IPv4 tunneling (for some reason the tunnel server was not routed with my Internet connection, so I ping-ponged through a customer's one). Aka client ---> relay server ---> real server. This ressembles (a bit) the problem mentionned by Peter. It could work with OpenVPN with the float option I guess. To do that I implemented a small Perl code over a TCP tunnel. It worked like a charm (the delay was quite big, though). There may be much better options if you can control the kernel firewall rules on the relay host (which I couldn't). Of course, I now have v6 native connectivity :) See: https://wiki.alphanet.ch/Sandbox/BidirectionnalUDPTunnel (dates back 2010! just had to fix the dot image generation today) signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote: > I tried the service restart and it worked inasfar as the logs now look like > this > example: > > Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set() Do you mean rsyslog logs? Again, systemd changes everything: you can exploit a system without rsyslog, and systemd-journald. This writes the log to a binary format, that you can see with journalctl. Maybe in that cas you can format the datetime field as you wish? Currently, I still run rsyslog (and Debian, at least with the bookworm release, merges the rsyslog /var/log AND journalctl logs for use by logcheck, with the side effect that logs entries are doubled). AFAIK you can change rsyslog log format in /etc/rsyslog.conf, however this might break all of your default/existing logcheck rules. > I really wonder why it uses this terrible illogical display with the day name > first? historic? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hello, On Mon, Feb 05, 2024 at 12:06:13AM +0100, Bo Berglund wrote: > restart the specific services or do I have to restart the server computer > itself? I am no systemd specialist, however, most of the times you change a systemd config file you should do: systemctl daemon-reload ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hello, On Sat, Jan 27, 2024 at 01:06:15PM +0100, Jochen Bern wrote: > (Note that, back when I had to try to get rid of the parameterless > "--daemon" in the unit file, I found that the unit file would get > overwritten with every update - unlike "normal" config files, where a new > packaged version would be put into a *.rpmnew file when the update finds the > current version manually changed.) Debian supports conffiles: they are handled specially, changes from maintainer are presented to the sysadmin at package upgrade or installation time (conffiles can stay even if you remove a package, if you don't --purge it) and you can accept them or not, merge, etc. However, AFAIR most systemd files are not conffiles (since that would apparently conflict with some systemd internals), countrary to most configuration files of all of the other packages of the Debian system [1]. Debian supports diversions: the package system will make sure the file will always be updated elsewhere. That worked the last time I used it, but I no longer use it on systemd. [2]. In emergency cases or in a RPM distribution, chattr +i could work (immutable) :) However, the systemd supported way to do this is: copy the unit file from /lib/systemd/system/ to /etc/systemd/system/ and then make the changes there. Which is AFAIK what systemctl edit XXX does as you wrote. [1] https://manpages.debian.org/testing/dpkg-dev/deb-conffiles.5.fr.html [2] http://www.ixany.org/articles/divert-files-on-debian/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hello, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote: > I am testing this scenario in a virtual environment before moving it to the > real world. So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or possibly some other reserved addresses [1]. Do not use public addresses unless you own them. > How can I make OpenVPN look like an HTTPS connection? Do you mean to obfuscate OpenVPN traffic so that an attacker thinks it is legit web traffic? I don't think OpenVPN does that: but you can run OpenVPN over TCP over tor, and use all obfuscation methods that tor supports (obfs4, maybe even snowflake), some of them look like HTTPS. PS: please quote correctly (removing non pertaining text). [1] https://en.wikipedia.org/wiki/Private_network ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hello, On Wed, Jan 24, 2024 at 06:14:22AM +, Peter Davis via Openvpn-users wrote: > 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0". > What is the difference between IP range 10.X and 20.X? 10.0.0.0/8 is a private range, that you can use as you please for private networks, including 10.0.0.0/24. 20.20.0.0/24 is: schaefer@reliant:~$ whois 20.20.0.0 NetRange: 20.0.0.0 - 20.31.255.255 CIDR: 20.0.0.0/11 NetName:MSFT NetHandle: NET-20-0-0-0-1 Parent: NET20 (NET-20-0-0-0-0) NetType:Direct Allocation OriginAS: Organization: Microsoft Corporation (MSFT) RegDate:2017-10-18 Updated:2021-12-14 Ref:https://rdap.arin.net/registry/ip/20.0.0.0 OrgName:Microsoft Corporation OrgId: MSFT Address:One Microsoft Way [ ... ] This will work, as long as you have a NAT between those addresses and Internet, and obviously you won't be able to contact any of those Microsoft IPs anymore, In short: bad idea. Use private ranges only (or any public range that you own). > 2- But this is a remote server, not an internal server, and I want to connect > to this server through OpenVPN, but my connection looks like HTTPS. Parse error. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reaching connected client machine from the server through the tunnel?
Hello, On Wed, Jan 17, 2024 at 09:57:41PM +0100, Bo Berglund wrote: > Is there some way when that RPi has connected to my OpenVPN server to reach it > "backwards" via the connected tunnel? I mean to establish a command line SSH > interface through the tunnel or similar. Well, it has a (presumably private) address on the OpenVPN interface that you can control from the VPN server configuration. For example here, this is an OpenVPN client with no public address (on a CGNAT via a 4G wireless link): The 4G interface with a private IP (wwan0) inet 10.56.90.106/30 brd 10.56.90.107 scope global dynamic wwan1 (obviously, you can't do much with it, as it's CGNAT controlled by the 4G network operator) The OpenVPN interface with a private IP (tap0, also works with tun0) inet 192.168.251.4/24 scope global tap0 So, from the OpenVPN server, assuming your pi has no firewall: schaefer@shakotay:~$ telnet 192.168.251.4 22 Trying 192.168.251.4... Connected to 192.168.251.4. Escape character is '^]'. SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3 Yes, SSH on your pi can be reached, or whatever service you want to be reachable. > But the lack of public IP makes it impossible to run a server on the client > side > to access the RPi and I guess if done it would create a closed loop kind of > connection... Just make your SSH server on the pi listen on 0.0.0.0 (which is the default), it will happily answer on all of the IP addresses, private or public, that it has. > Advice on how to configure the client and server for this is gratefully > appreciated. In my case, there IS a firewall, and the OpenVPN client startup script configures it correctly so that the SSH server is accessible from the VPN. If I remember well, in addition, I had to derive the (private) IP address from the certificate client name (CN) and push it to the client through the server connect script, something like: case $common_name in client[0-9][0-9]) the_ip=${common_name/client} case $the_ip in 0*) the_ip=${the_ip/0};; esac cat > $1
Re: [Openvpn-users] OpenVpn client connect on system start in Linux?
On Wed, Nov 22, 2023 at 03:03:45PM +0100, Marc SCHAEFER wrote: > that particular config, for example, if your file is /etc/openvpn/toto.conf I meant /etc/openvpn/client/toto.conf > systemctl status openvpn-client@toto.service ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVpn client connect on system start in Linux?
Hello, On Wed, Nov 22, 2023 at 02:44:57PM +0100, Bo Berglund wrote: > Is it enough to put the OVPN file (renamed to extension conf) into the > /etc/openvpn/client dir? I think it is not enough with recent Debian releases using systemd. AFAIK raspi is somewhat Debian. Here you need to test the status of the systemd configuration for that particular config, for example, if your file is /etc/openvpn/toto.conf systemctl status openvpn-client@toto.service You might have to do: # enable at boot systemctl enable openvpn-client@toto.service # manually start it systemctl start openvpn-client@toto.service In the past, you would just verify /etc/default/openvpn had the AUTOSTART="all" entry and that the config files would be directly over /etc/openvpn Obviously, if you want to go that latter way, read the text about systemd in that file. But I suggest going the systemd way above. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] --user specified but lacking CAP_SETPCAP
> used to allow the OpenVPN process to keep setup certain capabilities as it > transitions to the user provided via the --user option. The CAP_NET_ADMIN > is, not surprisingly, used to setup the virtual network adapter (both tun > and ovpn-dco) and get network routes set up properly. And, if you run OpenVPN within a Docker container, you will need to manually add that capability at the Docker container creation time: --cap-add=NET_ADMIN ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openVPN vs openSSH for single user access
On Wed, Feb 15, 2023 at 05:43:12PM +0100, Jan Just Keijser wrote: > Having port 22 open on the internet is asking for bots & script kiddies to > try and break in, but usually fail2ban takes care of it quite nicely. Yes, and I you can report to abuseipdb.com -- that's why my main server has port 22 open (and there are a few measures that make succeeding authentification unlikely -- the remaining risk is a zero-day on SSH itself). > and list it on a public webpage, so having a public wiki/web page stating > "we run ssh on tcp port to confuse script kiddies" is not a very good > way to hide your ssh service. Also, I have one container which has a random port for SSH. It was discovered by scanners in about one to two weeks. (*) On a sensitive machine, I use port knocking. Or I hide services behind a private OpenVPN network, depending. Which is also useful when the ISP no longer offers port forwarding (CGNAT) for CPE. (*) I read some litterature that scanning the whole ipv4 space for every TCP port takes about a day with a GBit/s or so optimized SYN sender. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openVPN vs openSSH for single user access
On Wed, Feb 15, 2023 at 05:19:07PM +0100, Gert Doering wrote: > SPF itself is not the problem (that only checks envelope-from, which > the list does change), but DMARC with p=reject is. Correct! > Not sure if the list actually can do the "do the From: rewrite for > DMARC p=reject enabled senders" dance. I know mailman can, but it's > not a mailman list. > > Always rewriting From: is the worst of all solutions. I have configured it for a few years now on many lists (with Mailman) and it works quite well. Intelligent MUA will even differenciate from replying to the list, or to the user (via Reply-To:). Now, if you can't, well, you can't, and I will get reports like this everytime I post, which is not problematic: Sender Domain: alphanet.ch Sender IP Address: 216.105.38.7 Received date: Wed, 15 Feb 2023 17:13:10 +0100 SPF Alignment: no DKIM Alignment: no DMARC Results: None, Accept As you can see, in my case it's not that problematic (it might be if the remote server uses disalignement to add "spam points"). In that specific case they seem to use spamassassin and the disalignement has no impact, according to the spamassassin headers. I only currently configure reject for the domains I no longer use that are used to send out spam, namely some alphanet.ch subdomains: schaefer@reliand:~$ host -t txt _dmarc.vulcan.alphanet.ch _dmarc.vulcan.alphanet.ch is an alias for _dmarc.obsolete.alphanet.ch. _dmarc.obsolete.alphanet.ch descriptive text "v=DMARC1; p=reject" The only reason I publish a DMARC policy on my main domain (of p=none) is it made my mail more easily acceptable to gmail for some magical reason. Some day, I might switch to reject policy. signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openVPN vs openSSH for single user access
On Wed, Feb 15, 2023 at 04:43:07PM +0100, Gert Doering wrote: > On Wed, Feb 15, 2023 at 04:06:44PM +0100, Marc SCHAEFER wrote: > > I run OpenSSH with UDP and on a random port, it's is presumably much > > more difficult to find on scanners. > > I guess this was intended to read "OpenVPN" :-) - and indeed, with > tls-auth/tls-crypt, an OpenVPN server is "invisible" unless you know > that it's there and have the right key material. Yes, sorry, s/OpenSSH/OpenVPN/. On a side note, you don't rewrite the From: in your mailing-list, which means that SPF enabled domains like me will not always be delivered. For the record, using MailMan, it's the General > from_is_list > Munge option. This means that the real mail address is somewhat obfuscated (but probably can be found as Reply-To: if it is not set to the list). signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openVPN vs openSSH for single user access
On Wed, Feb 15, 2023 at 02:12:58PM +0100, Stefanie Leisestreichler wrote: > Which leads to the question: Do you focus with same caution to an exposed > openvpn service or is this more specific for those sshd? No. I run OpenSSH with UDP and on a random port, it's is presumably much more difficult to find on scanners. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Getting: 2 updates could not be installed automatically
On Tue, Mar 08, 2022 at 10:02:19PM +0100, Bo Berglund wrote: > It says that I have held broken packages but I have no idea on what that even > means or how one can "hold" something in a computer A held package is a package that is marked as DO NOT TOUCH (no upgrade). To list held packages, you can use: apt-mark showhold or read: https://www.cyberciti.biz/faq/apt-get-hold-back-packages-command/ That may not be the issue there, it could be a dependancy issue, especially if you have installed additional installation sources. Usually apt-get install -f (under root) gives an idea or even a solution. Only type ENTER after having understood what it is going to do. PS: not using Ubuntu, but Debian, but Ubuntu is Debian-based. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Expected transfer speed LAN-LAN using OpenVPN?
Hello, On Sat, Feb 12, 2022 at 06:22:41PM +0100, Bo Berglund wrote: > So this is about 10 Mbit/s speed... > I had really hoped for something better than 1/25th of the connection speed. > Is this normal or is there some way to improve the speed? Depending on the hardware, I can measure upto 7-8 MByte/s (~70 MBit/s) through OpenVPN. And the symptom is that one of the CPU is at 100% (OpenVPN is not multithreaded AFAIK). Do you have hardware AES acceleration? Do you observe a CPU maxing out? If not there might be something else going on. An example here, using SSH over OpenVPN, in both cases we simply send data out from Internet to either a) normal Internet b) Internet through an OpenVPN a) SRC: 46.140.72.222 (this is native, 1G/100M link) 10240K, 10870K/s 102400K, 47539K/s b) SRC: 193.72.186.249 (this is OpenVPN) 10240K, 9642K/s 102400K, 9169K/s It's a somewhat small transfer, but the numbers rise with the time. Script: #! /bin/sh BS=4096 COUNT_UP=$((10*1024*1024/$BS)) COUNT_DOWN=$((100*1024*1024/$BS)) for SRC in 46.140.72.222 193.72.186.249 do echo "SRC: $SRC" dd if=/dev/zero bs=$BS count=$COUNT_UP 2>/dev/null \ | ssh -o "ProxyCommand=ssh virtual nc -q 0 -s $SRC some-internet-host-we-will-not-disclose.ch 22" \ some-internet-host-we-will-not-disclose.ch buffer -S 1048576 -s $BS -o /dev/null ssh -o "ProxyCommand=ssh virtual nc -q 0 -s $SRC some-internet-host-we-will-not-disclose.ch 22" \ some-internet-host-we-will-not-disclose.ch dd if=/dev/zero bs=$BS count=$COUNT_DOWN 2>/dev/null \ | buffer -S 1048576 -s $BS -o /dev/null echo done ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] a good Web PKI interface for Linux and OpenVPN
On Wed, May 26, 2021 at 10:23:03AM -0300, Leonardo Rodrigues wrote: > Are there some good Web based PKI interfaces that can be used to > generate certificates and also provide ready (based on templates) OpenVPN > config files? My VPN provider SNN (swissneutral.net) uses a ISP open source software: https://code.ffdn.org/ffdn/coin This integrates a SSO with config and key generation. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] "PID_ERR large diff" messages
On Thu, Mar 18, 2021 at 10:13:35AM +0100, Steffan Karger wrote: > If you see these a lot, it might be worth checking the network between > client and server to see why this packet reordering happens. Typically, I saw those (but not as many as reported by that user) when my CATV connection was dropping and reordering at lot of UDP packets. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
On Thu, Mar 11, 2021 at 05:06:49PM +, tincanteksup wrote: > Yes, i'm using http server on vpn server and wget on vpn client. Ok, so, on-the-fly TCP MSS clamping will also work in this scenario, which is a quite rare scenario anyway. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
On Thu, Mar 11, 2021 at 03:25:25PM +, tincanteksup wrote: > I was expecting that openvpn configure MSS at the IP level so > that only the kernel manages that side of the packet creation. What would happen if the OpenVPN client is actually a router that forward trafic from a network ? In that case, only the dynamic TCP MSS clamping can work. The same if your OpenVPN server is not the end server you communicate with. The only case what you suggest might work is if the OpenVPN client *is* the application client and the OpenVPN server *is* the application server. In that case it would be enough that the tun or tap interface presents a MTU which takes in account OpenVPN header overhead. In my use cases, this nevers happens. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
On Tue, Mar 09, 2021 at 04:48:43PM +0100, Gert Doering wrote: > No. The code in question is not OS dependent (forward.c, mss.c, no > #ifdef _WIN32 anywhere close to "mss"). Some background: Actually, OpenVPN acts here as a firewall with inspection and mangling, as far as I understand, modifying packets as they flow. This is the equivalent of Linux iptables --clamp-mss-to-pmtu, except this autodetects from the interface, and OpenVPN probably substracts some more headers (its headers) from the total. Normally, the MSS is set during the initial TCP connection opening (the client sets one, the server sets one). Only by changing on-the-fly the TCP MSS can OpenVPN make that the client side, respectively the server side, respects the maximum possible MTU. Obviously this has no impact on UDP traffic. signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TCP syn]
On Thu, Feb 25, 2021 at 09:17:11AM +0100, Jan Just Keijser wrote: > send raw packets. On linux this is possible, not sure about Windows, but > it's definitely a no-no on Android or iOS. If DDoS or cracking attempt is a problem with your setup, and port-knocking is not applicable, why not add a simple web interface which allows by IP? You could store the credentials in the browser. Obviously may need some refreshing especially with CGNAT and might need to sit on the exact same IP to avoid the CGNAT fan-out issue, but it should work. And no, port-knocking and other things have nothing to do in OpenVPN, in my opinion. Keep the UNIX way of things: one tool, one purpose. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TCP syn]
On Wed, Feb 24, 2021 at 10:49:56PM +, tincanteksup wrote: > My idea (as daft as it is) would only serve one purpose: To hide a > listening TCP port. Because there would be no SYN-ACK from the server if > the SYN failed security checks. This is what port knocking does: unfirewall the OpenVPN UDP or TCP port if a password is given: the password being an specific sequence of opens. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TCP syn]
On Wed, Feb 24, 2021 at 07:27:09PM +, tincanteksup wrote: > which suggested to me that openvpn may have some vulnerability to TCP DDos. A Linux kernel can offer a few protections against DDoS, for example SYN cookies to avoid a memory exhaustion with fake TCP connection openings. You may have to enable it with sysctl (see /etc/sysctl.conf). > Obviously, the connection ultimately fails but I was simply expecting the > server to drop the subsequent packets without logging anything. Especially > as both server and client believe that TCP has established a connection, > even to the extent of: I guess that the OpenVPN TCP server logs this as soon as the kernel tells that a new connection is opened (accept(2) returns), aka SYN/SYNACK/ACK, and the client as soon as the ACK is sent. The TLS handshake has not been done yet. The connection will probably be cut quickly if it does not happen (?). > ESTAB00 127.0.0.1:34571 > 127.0.0.1:42714 > ESTAB00 127.0.0.1:42714 > 127.0.0.1:34571 That's two nexus, because you run the client and server on the same machine. > I wonder if IPv6 has any new features which can customise the initial Syn > packet in any way ? Not to my knowledge. Why would you want to do that? You could use port knocking if you want to hide your service from attackers. > I doubt it but something for me to look into ;-) If you want to avoid DDoS, look for SYN cookies, and also you may want to use a firewall to limit what IP addresses can connect (if this is possible), or possibly run an IDS/IRS/IPS to detect malicious attempts. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TCP syn
On Wed, Feb 24, 2021 at 06:01:19PM +, tincanteksup wrote: > today I discovered that a server using TCP responds to an initial Syn packet > with an ack packet, This is standard TCP protocol (SYN, SYN ACK, ACK). It is executed in the kernel. Only after the client ACK is received by the server will OpenVPN handle that TCP connection (accept(2) returns a new connection socked in the ESTABLISHED state). Before that, OpenVPN does not even know a connection is being opened. > even with --tls-auth key configured. This, TCP does not know. For TCP, it's just data bytes. The TLS negociation is done afterwards, when the TCP connection was established. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
Hello, I now think my VPN is running reliably: a ping every 5 minutes over the last 15 hours has shown 100% success. The bug was in the UPC router firmware, blocking from time to time trafic on port 4998/UDP where I run my multi-site VPN. The funny thing is that the bug showed itself not only on Internet traffic but ALSO on the internal switch of that router for two machines on the same public IPv4 subnet, and disappeared when connecting them through an independant switch. I could however clean up a bit my OpenVPN configuration, which was a good thing. Thank you for your help. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
On Sat, Jul 25, 2020 at 10:40:47AM +0200, Gert Doering wrote: > Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings > that are non-default. Definitely, there was a server-side client script pushing that, it is commented now. Still testing to see if the problem reproduces itself. Thanks. signature.asc Description: Digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
On Fri, Jul 24, 2020 at 11:20:32PM +0100, tincanteksup wrote: > not sure how you have your configs setup (maybe post further details) but .. > Using --verb 4 may help with extra log details. Thank you, will collect more information. It now suspiciously looks like a firewall issue. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
Hello, I have an OpenVPN server on a fixed IP address, using the CA mode. I have 3 clients, two on dynamic IP and behind CGNAT, and one on fixed IP. I observe frequent downtimes, that's why I have investigated a bit. They heal by themselves, but sometimes they last more than 10 minutes, which triggers an alarm on my monitoring system. I run the Debian buster version of OpenVPN everywhere. I tried the server config: keepalive 10 60 However, it did not really help: I have frequent downtimes of all of the clients. AFAIK this command also set ping on the clients. Thinking that the problem could be NAT related, at least partly, I tried just a simple `ping 10' on the server. It did not help. I have now configured a ping 10 on the server and one of the client to see what happens. My question: is it normal that the key exchange / negociation is very frequent ? See: (every minute): that one is on fixed IP Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key However, the others (on NAT) also do the same every minute. But the `Peer Connection Initiated' is much more rare (e.g. once a day). So far I have not seen any specific error message when the connection ceases to work or starts again. Any idea ? Thank you :) ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
On Fri, Jul 03, 2020 at 01:20:09AM +0100, tincanteksup wrote: > DNSSec would put an end to this sort of snooping .. lol As Gert said, no, it won't. What you may want is DNS over HTTPS or over TLS. However, in that case, it's the DNS provider that can snoop on you, but no longer your ISP. If your ISP does not spy on you, the mixing with all of its customers and the caching it offers are valuable. Google and CloudFare offer DNS over HTTPS, bypassing your local DNS, the latter seem to less spy on its users. https://en.wikipedia.org/wiki/DNS_over_HTTPS ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Wed, Apr 29, 2020 at 09:37:06AM +0200, Gert Doering wrote: > > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) > > Of course :-) > > (it always had, in TLS mode. Not in p2p --secret mode, but that is > deprecated - no PFS is one of the reasons) Nice! Thanks Gert. signature.asc Description: Digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users wrote: > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used > to encrypt and transmit a symmetric key which is then used for all future > communication? HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) [1] https://en.wikipedia.org/wiki/Forward_secrecy if the private key is stolen, decryption of key exchange protocols will not give the key, e.g. PKI authenticated Diffie-Hellman ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking OpenVPN connectivity
On Tue, Apr 28, 2020 at 10:45:03PM +, Leroy Tennison via Openvpn-users wrote: > udp packets from a source making it to a destination) without actually trying > to make a connection You can try netcat, with the -u option. Now, if you have a real powerful firewall it may see this is not legitimate OpenVPN traffic and block it. Wonder if this exists. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Capture all traffic in a client-to-client setup
Hello, Thank you for your reply: On Mon, May 20, 2019 at 07:46:11PM +0200, Jan Just Keijser wrote: > you'd have to disable 'client-to-client' , enable IP forwarding on your > server and set up the appropriate routing and iptables rules. Packets should > essentially "leave" openvpn and be handed off to the kernel. The kernel may > then decide to feed them back into OpenVPN (via the tap i/f again) based on > routing rules. Actually this works, if I add: brctl hairpin br0 tap0 on thank you for your suggestion. > as you are running a tap-style network I'd think this should "just work" : > the Linux kernel sees the tap device as "just another ethernet " device . According to this: https://ente.limmat.ch/kb/linux/networking/bonding_vlan_bridge_tap_config.html it should work I haven't tried it yet, though. Have a nice week. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Capture all traffic in a client-to-client setup
Hello, I run a layer 2 (bridging) large OpenVPN network linking ethernet interfaces, wifi interfaces, software bridges, tap interfaces, etc. The idea behind the layer 2 virtual network was for maximum flexibility: it is an educational network where people must collaboratively manage it (including setting up their own DHCP server, WiFi authentification, etc). It works like a charm. As this is an educational network, there are times where I want to see all exchanged traffic, for debugging or illustrative purposes. What I noticed is if "client-to-client" is not enabled, then the layer 2 does not work, and with it enabled, it works, but I don't see inter-client trafic on the main VPN server. Question 1: how may I see inter-client trafic on the main VPN ? Question 2: would VLAN work in this setup ? I have already deployed VLANs trunks on ethernet and wifi, but not so far attempted to make the VLAN tagged frames travel through OpenVPN, is there anything special to do so it works, or does it automagically works (no VLAN isolation required, just trunk mode) ? If it is not possible, then I will implement multiple VPNs, each with its own bridged VLAN. Thank your for your input. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users