Re: [Openvpn-users] [Openvpn-devel] why doesn't openvpn negotiate settings?

2013-08-06 Thread David Sommerseth
. The cookbook I mentioned in the beginning might make things easier to get started, but you still need to do some learning; at least when things doesn't work as expected. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature

Re: [Openvpn-users] Overriding a plugin using ccd

2013-08-28 Thread David Sommerseth
clients where you only want single factor auth. [1] http://www.eurephia.net/ - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlId6DEACgkQDC186MBRfro96gCeNyQ8

Re: [Openvpn-users] OTP re-auth solution?

2013-09-11 Thread David Sommerseth
authentication. But if a auth session ID is found in the password auth cache, it passes as already authenticated. So I believe (without having tested it), this could work with OTP. [1] http://www.eurephia.net/ -- kind regards, David Sommerseth On Sep 10, 2013, at 9:04 PM, Michael Ludvig mlud

Re: [Openvpn-users] (no subject)

2013-10-31 Thread David Sommerseth
with, as this problem is outside OpenVPN. If your firewalls are fine, all you can do is to try to use another port or try UDP instead of TCP. To test your firewalls, to see what is open and blocked, I find nmap [1] quite usefull. [1] http://nmap.org/ - -- kind regards, David Sommerseth

Re: [Openvpn-users] (no subject)

2013-10-31 Thread David Sommerseth
or try UDP instead of TCP. To test your firewalls, to see what is open and blocked, I find nmap [1] quite usefull. [1] http://nmap.org/ - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http

Re: [Openvpn-users] (no subject)

2013-11-01 Thread David Sommerseth
. If you continue to have problems with VPNbook, I suggest you contact them directly as that's your VPN provider in this case. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net

Re: [Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

2013-11-04 Thread David Sommerseth
routines:SSL3_GET_CLIENT_HELLO:no shared cipher So this sounds like there's a mismatch between your server and client config in regards to cipher parameters. -- kind regards, David Sommerseth Thanks for the response. I'm confused by this because I am using the exact same line in the server config and the client

Re: [Openvpn-users] Can't connect using tls-cipher TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA

2013-11-05 Thread David Sommerseth
1408A0C1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher So this sounds like there's a mismatch between your server and client config in regards to cipher parameters. -- kind regards, David Sommerseth Thanks for the response. I'm confused by this because I am using

Re: [Openvpn-users] Create a openvpn with bridge and static key

2013-11-06 Thread David Sommerseth
/masquerading instead) I've been active in the OpenVPN community for 4-5 years or so, and I think I 2-3 times have experienced a real legimate reason why to use briding. So please tell us why you need bridging first. - -- kind regards, David

Re: [Openvpn-users] IPv6 client-to-client communication

2013-11-18 Thread David Sommerseth
it differently in some other projects. - -- kind regards, David Sommerseth On Sun, Nov 17, 2013 at 4:44 PM, Gert Doering g...@greenie.muc.de mailto:g...@greenie.muc.de wrote: Hi, On Sun, Nov 17, 2013 at 03:17:05PM -0500, Ryan Whelan wrote: Would it be difficult to modify OpenVPN so

Re: [Openvpn-users] Openvpn -- unable to generate keys

2014-01-22 Thread David Sommerseth
agree that this is not clever at all ;-)) - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLfy88ACgkQDC186MBRfrqQbACfcBzdGroPb5pW4JJq6iXptBma aRcAoJZLEgHeLqQHgB9J1+zO3hEF/X7i =FsbM

Re: [Openvpn-users] TLS key negotiation failed to occur within 60 seconds

2014-04-01 Thread David Sommerseth
of such a feature. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM6s+oACgkQDC186MBRfrr86QCbBQUkGbVBqoTW7h5SLMShfv1B EsIAn0VCi9cjYnf+c2EmhrDRK2ik37um =LTF1 -END PGP SIGNATURE

Re: [Openvpn-users] Where are the 2.3.3 sources?

2014-04-10 Thread David Sommerseth
the sources are not protected by HTTPS? Because it's open source and not much to really hide? What would be the real benefit? - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net

Re: [Openvpn-users] Where are the 2.3.3 sources?

2014-04-10 Thread David Sommerseth
on an external server too? (That should *not* be a mirrored setup, but somehow distributed outside of a public HTTP{,S}) paranoid mode=off/ - -- kind regards, David Sommerseth On Thu, Apr 10, 2014 at 6:36 AM, David Sommerseth openvpn.l...@topphemmelig.net mailto:openvpn.l

Re: [Openvpn-users] Stupid Road-Warrior / OpenWRT question . .

2014-04-24 Thread David Sommerseth
- -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNZVyUACgkQDC186MBRfrr2SACfRAh8+GMX7kpdxozSQPnRD6eT H2gAoKK6lqf16+Q2SRbT2T2nfMGO/lYr =iqPF -END PGP SIGNATURE

Re: [Openvpn-users] doubts about possible sniffing

2014-05-05 Thread David Sommerseth
address to become a different client would definitely confuse OpenVPN, but would it really work? Wouldn't it just result in a DoS for the targeted client until the attack stops? - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG

Re: [Openvpn-users] Does traffic in client-to-client config go through the server?

2014-06-10 Thread David Sommerseth
the server, the server cannot impose any policies or firewall rules on the VPN traffic between the clients. If the traffic must go via the server, the server can block unwanted services on the VPN. -- kind regards, David Sommerseth

Re: [Openvpn-users] Does traffic in client-to-client config go through the server?

2014-06-10 Thread David Sommerseth
, David Sommerseth -- -- kind regards, David Sommerseth -- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable

Re: [Openvpn-users] What do these four lines at the bottom of an ovpn file mean?

2014-07-17 Thread David Sommerseth
in the man page. https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlPHuz4ACgkQDC186MBRfroDWwCgmCHekA4d7sak+vtKqYbQjfUM

Re: [Openvpn-users] What do these four lines at the bottom of an ovpn file mean?

2014-07-17 Thread David Sommerseth
and a port number which is to the HTTP proxy the connection should be sent via. Without that information, I'd expect OpenVPN to complain loudly. - -- kind regards, David Sommerseth From: David Sommerseth openvpn.l...@topphemmelig.net Sent: Thu Jul 17

Re: [Openvpn-users] Has our dear friend Samuli revoked his public signing key?

2014-07-21 Thread David Sommerseth
information has been gathered and carefully analysed. In that moment we can also provide information what to do, so that all OpenVPN users stays as safe as possible. In this particular case, it seems there were no problem at all. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE

Re: [Openvpn-users] OpenVPN for Debian Wheezy (backports) and Jessie is still at 2.3.2!!

2014-07-29 Thread David Sommerseth
: I don't exactly understand what you mean by you get friends with the ports system. It basically means: Learn to use OpenBSD and its packaging system (called 'ports') properly. -- kind regards, David Sommerseth

Re: [Openvpn-users] OpenVPN and Multi-Core processor

2014-08-06 Thread David Sommerseth
, this can be more easily be added later on. end_of_brain_dump/ - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlPiG5wACgkQDC186MBRfrrutwCglGcsGJAyihSD6TgcTQpioww7 3icAn3oChT

Re: [Openvpn-users] OpenVPN and Multi-Core processor

2014-08-06 Thread David Sommerseth
actually fail, especially for TCP, depending on if there are any tight relations to the client ports. /me should stop thinking so much - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net

Re: [Openvpn-users] OpenVPN and Multi-Core processor

2014-08-06 Thread David Sommerseth
queue to a separate CPU cores. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlPikb4ACgkQDC186MBRfrqM+wCfXW9pYpPNk5CAH3UJNwQbq2/k alcAoKDLzmcbTlcHRR023PM6woQSlo5l =F5Hv -END PGP

Re: [Openvpn-users] OpenVPN and Multi-Core processor

2014-08-07 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/08/14 00:37, Jason Haar wrote: On 07/08/14 00:12, David Sommerseth wrote: What is CPU intensive is when asymmetric encryption comes into play, with the key exchanges and other negotiations etc. I sooo have to agree with that. Back

Re: [Openvpn-users] OpenVPN and Multi-Core processor

2014-08-07 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/08/14 22:52, Les Mikesell wrote: On Wed, Aug 6, 2014 at 3:36 PM, David Sommerseth openvpn.l...@topphemmelig.net wrote: For the typical road-warrior scenario (one server, many clients) you are probably right that a single user won't

Re: [Openvpn-users] Openvpn logout time?

2014-09-02 Thread David Sommerseth
, in addition to block connection attempts after too many failures (to limit bruteforce password attacks) - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQGPzEACgkQDC186MBRfrrISwCfbWcFt1cZcBUEksq27p8Ke8no PxgAoJZOvLVn7kMrupSsrBlxEX6le2xm =FdHj

Re: [Openvpn-users] From Windows 7 client to OpenVPN server

2014-09-03 Thread David Sommerseth
servers IP address? Any advice or suggestions gratefully received. Just remember to start OpenVPN with Administrator rights. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQHLLYACgkQDC186MBRfrpHKgCghRDl+SO3DRMuCTa1DdbEJ829 vHAAnRq

Re: [Openvpn-users] Windows service mode doesn't seem to restart on timeout properly

2014-09-04 Thread David Sommerseth
of an additional security layer. - --tls-auth + float is not the same thing as not using both or just - --tls-auth. But it does help somewhat, and --tls-auth improves the security in other aspects as well. Given that an attacker doesn't have a copy of the static tls-auth secret. - -- kind regards, David

Re: [Openvpn-users] Windows service mode doesn't seem to restart on timeout properly

2014-09-04 Thread David Sommerseth
On 04/09/14 12:06, David Sommerseth wrote: On 04/09/14 06:52, Jason Haar wrote: Hi there I've got openvpn-2.3.4 under Win7 running. Works fine - except when there's a network change... I have verb 3 enabled and the log ends with Thu Sep 04 15:42:09 2014 [dns.host.name] Inactivity timeout

Re: [Openvpn-users] From Windows 7 client to OpenVPN server

2014-09-04 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/09/14 12:45, Timothy Murphy wrote: David Sommerseth wrote: You do need to install the OpenVPN client to connect to a OpenVPN server. The VPNs supported by Microsoft Windows are not compatible with OpenVPN. Following your advice, I

Re: [Openvpn-users] From Windows 7 client to OpenVPN server

2014-09-04 Thread David Sommerseth
to my default profile. There are work in progress, to have a better privilege separation to avoid this. It just haven't become available upstream yet. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQIbUEACgkQDC186MBRfrpvOQCgsVklwsgA

Re: [Openvpn-users] Openvpn security on VPS-es

2014-09-24 Thread David Sommerseth
not an easy yes/no answer, due to the flexibility of OpenVPN. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQifwEACgkQDC186MBRfrqShACffpda6Sh17eSad+T+3tcYZ7EP SmIAn3G+wi8KTaqUx/vfK6KUDDi1KzG5 =rlhH -END PGP SIGNATURE

Re: [Openvpn-users] Openvpn security on VPS-es

2014-09-24 Thread David Sommerseth
regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQigC0ACgkQDC186MBRfrrwGwCbBxX3NGm6CqsaHTSdJjO+gRqS 8HsAmwet8HLyrGFnEQUuHml/y62/wxvI =flwL -END PGP SIGNATURE- -- Meet PCI DSS 3.0

Re: [Openvpn-users] Configuration Certificates

2014-09-29 Thread David Sommerseth
is safe forever. Encryption only promises privacy for a certain amount of time. How strong the encryption and setup is, depends on how long this time is. Weak encryption = shorter time, strong encryption = longer time. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG

Re: [Openvpn-users] Configuration Certificates

2014-09-29 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/09/14 14:15, David Sommerseth wrote: On 26/09/14 17:04, Robin wrote: 1. I am using Ubuntu 14.04 and have set up OpenVpn previously with VPNbook and so know that at least 3 configuration certificates are needed to run OpenVpn. Where do I find

Re: [Openvpn-users] Openvpn

2014-10-29 Thread David Sommerseth
involved improving the systemd integration in OpenVPN. [root@host:~] # systemctl {start|stop|status} openvpn@CONFIG-NAME - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRQ7owACgkQDC186MBRfrpoQwCdHWH6mY6ADXQLQEsENDLOOeyy zRIAn1no1A/bFjj14QS

Re: [Openvpn-users] 2.3.5 - systemd

2014-10-29 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/10/14 15:41, j.witvl...@mindef.nl wrote: Hi David, In the 2.3.5-changes I noticed: David Sommerseth (4): Improve error reporting on file access to --client-config-dir and --ccd-exclusive Don't let openvpn_popen() keep zombies around

Re: [Openvpn-users] Windows installers - Typo in the license agreement

2014-10-29 Thread David Sommerseth
from the autoconf package (IIRC, should be an address in Boston, Franklin street). - -- kind regards, David Sommerseth To: Samuli Dearie, Could you please update the year 2010 to 2014 in the license agreement of the Windows installers? End users can't agree to abide by a license

Re: [Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

2014-11-19 Thread David Sommerseth
on pkcs11-helper-1.11 for PKCS#11 smart card support. [1] https://copr.fedoraproject.org/ - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRskEsACgkQDC186MBRfrqYhgCgmuDLHUdmvVfOnnl8yfCbvGJ7 tWQAn3YrJCrDXVWaXsD9k/zvefYJGJAn =5QQ+ -END PGP

Re: [Openvpn-users] Layer 2 tunnel (VPN)

2014-11-20 Thread David Sommerseth
(--ca, --key, --cert, --dh) can be the same across all server configs. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRtrpgACgkQDC186MBRfrr34gCdHRp/bc/HpymXWsCaX2lersXg TQYAoLBpYdxXwO8zphMKtVQJT7vlRSfP =Qd/I -END PGP SIGNATURE

Re: [Openvpn-users] Layer 2 tunnel (VPN)

2014-11-21 Thread David Sommerseth
works, setting it up isn't illogical. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRvJCwACgkQDC186MBRfrr2NgCfdoHeePXhzfKppUs9a3GJZR72 /c0AmgMGlCOUOY2tqLJqEZi3LKBMlNP5 =rJSf -END PGP SIGNATURE

Re: [Openvpn-users] limits

2014-12-11 Thread David Sommerseth
intensive. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlSJV2AACgkQDC186MBRfrqbBQCeN4k0k+e+ALMfnDXvaKhUVfI5 Hh4AnjMP9OLIYSZwsQzFzVmoSKtuv1DK =eYtI -END PGP SIGNATURE

Re: [Openvpn-users] crl-verify using a remote file

2015-02-03 Thread David Sommerseth
be needed. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlTQxYYACgkQDC186MBRfrrIPQCeLnOX4GD/3Yi3Nem45rJ8MrhM 2xwAn06U9UUJKkJoinuKOzG6QskcMTjL =kIJi -END PGP SIGNATURE

Re: [Openvpn-users] Status log not updating.

2015-01-28 Thread David Sommerseth
imagination, and you'll see that granting an unreviewed script root privileges is generally a bad idea. It is generally far better to get software through the standard package repositories of your distribution/OS. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1

Re: [Openvpn-users] connect 2 networks with OpenWRT

2015-05-18 Thread David Sommerseth
, but not that much) was so depressing I just decided never again will I use nor recommend dd-wrt. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlVZ5jwACgkQDC186MBRfrqAGgCggbZ2ddFagvx3uZCzhdlrUIgU zuUAn2DqwygeKA1I2dqeLmt2sYBlS3pD

Re: [Openvpn-users] push client network to server

2015-05-20 Thread David Sommerseth
. If you combine UDP with --tls-auth, the OpenVPN server port will also be hidden for port scanners. If these things are not of any concern to you, then static tunnels can indeed be a good alternative. kind regards, David Sommerseth

Re: [Openvpn-users] no group nobody: an issue?

2015-06-05 Thread David Sommerseth
the result? $ id nobody $ getent group nobody - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlVxdLoACgkQDC186MBRfrohqgCcCKYSQp+rOvKxRhg1uxYfaA6w av4An0XwzxVAP0RKW+yiIRX+cW68z1vW =T/O9 -END PGP SIGNATURE

Re: [Openvpn-users] any way to get local network details to flow through to the server?

2015-06-02 Thread David Sommerseth
page? kind regards, David Sommerseth -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Is my manually compiled OpenVPN using the correct version of OpenSSL?

2015-06-12 Thread David Sommerseth
only. That's why OpenVPN only sees '1.0.1e' - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlV7HdEACgkQDC186MBRfrqvAACfWkW2GxZAWCxHwLIdtXQrTrco JoQAnijZC5zxFCDlMlw5vvEP3rBgijsi =mcL+ -END PGP SIGNATURE

Re: [Openvpn-users] custom static auth plugin - returning info to the client

2015-07-03 Thread David Sommerseth
needs to be 'push' statements, just as in the - --client-config-dir approach. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlWWaAcACgkQDC186MBRfrqLgQCdHhxNUl/Oqni3rko0MjQEvp7Y NzIAoI6BnhTW6KUqlfzRoP35mIMupdAU =0/4T -END

Re: [Openvpn-users] push client network to server

2015-05-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/05/15 14:25, Josu Lazkano wrote: 2015-05-20 23:49 GMT+02:00 David Sommerseth openvpn.l...@topphemmelig.net: [...snip...] I'll admit I haven't paid attention to all details in this discussion. Static encrypted VPN tunnels can work very well

Re: [Openvpn-users] CRL and --CApath usage

2015-08-21 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/08/15 11:55, Rui Santos wrote: On 20-08-2015 18:40, David Sommerseth wrote: On 20/08/15 19:11, debbie...@gmail.com wrote: - Original Message - From: Rui Santos rsan...@grupopie.com To: openvpn-users@lists.sourceforge.net Sent

Re: [Openvpn-users] vpn speed related to crypto size, don't see any real differences?

2015-08-22 Thread David Sommerseth
somewhat closer to the TUN/TAP driver. Just my unfiltered 2 cents before calling it a day for today. -- kind regards, David Sommerseth -- ___ Openvpn-users mailing list

Re: [Openvpn-users] CRL and --CApath usage

2015-08-20 Thread David Sommerseth
) is also effected by --persist-key ... This is just pure guesswork, debbie10t. The CRL file is *NOT* affected by --persist-key. Rui: How have you configured --crl? Did you add the 'dir' flag when pointing to the directory? Or did you point directly to a CRL file? - -- kind regards, David

Re: [Openvpn-users] Auth mode lac of understanding

2015-07-26 Thread David Sommerseth
is highly recommended, as it can reduce the attack vector considerably if new security issues are found in the SSL libraries (OpenSSL or PolarSSL/mbedTLS). And if coupled with the UDP protocol, the UDP port will not be detected during drive-by port scans. -- kind regards, David Sommerseth

Re: [Openvpn-users] Suddenly OpenVPN not working - backgrounds password prompt

2015-07-26 Thread David Sommerseth
patches ready for review providing a better API for querying for user input, which will help further down the road when systemd also enables such a feature. -- kind regards, David Sommerseth

Re: [Openvpn-users] Suddenly OpenVPN not working - backgroundspassword prompt

2015-07-26 Thread David Sommerseth
regards, David Sommerseth -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Suddenly OpenVPN not working - backgroundspassword prompt

2015-07-26 Thread David Sommerseth
On 26/07/15 17:54, Alan McKay wrote: On Sun, Jul 26, 2015 at 10:39 AM, David Sommerseth openvpn.l...@topphemmelig.net wrote: This issue is not related to this at all. The described issue is expected when OpenVPN is started on a system with systemd. Except that on my CentOS 7 system at work

Re: [Openvpn-users] Cert/key variables; same; different?

2015-07-26 Thread David Sommerseth
to the proper drivers for the PKCS#11 technology of your choice. -- kind regards, David Sommerseth -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https

Re: [Openvpn-users] Is it possible to obtain all of the ip addresses correspoding to a FQDN?

2015-10-18 Thread David Sommerseth
On 18 October 2015 02:49:14 CEST, Hongyi Zhao <hongyi.z...@gmail.com> wrote: >Hi all, > >For a domain name / FQDN, say www.google.com , is there a method to >obtain all of the ip addresses corresponding it? > $ host www.google.com kind regar

Re: [Openvpn-users] "Safe" configurations for installation without admin privileges?

2015-12-10 Thread David Sommerseth
onnect cmd --learn-address cmd --auth-user-pass-verify cmd method --tls-verify cmd There might be a few more, though. And I hope there are no other undocumented surprises in options.c. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE-

Re: [Openvpn-users] Issue getting to LAN behind VPN Server

2016-01-12 Thread David Sommerseth
s network to access hosts on the tun0 "net", you must add: iptables -I FORWARD -o tun0 -j ACCEPT This allows forwarded packets to exit on the tun0 device. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAl

Re: [Openvpn-users] push "auth-user-pass"

2016-06-14 Thread David Sommerseth
according to the requirement for each client. Now, there is one important detail. Clients which is expected to use username/password authentication, must have 'auth-user-pass' in their local configuration. This option cannot be centrally managed th

Re: [Openvpn-users] IPv6 Manual and Wiki page errors

2016-06-01 Thread David Sommerseth
ram (f.ex. git send-email). If you start sending patches more regularly, we generally prefer that you use git send-email. For a more comprehensive git course, have a look here: <http://community.openvpn.net/openvpn/wiki/GitCrashCourse> -- kind r

Re: [Openvpn-users] Tun vs Tap performance + Routing trick

2016-01-14 Thread David Sommerseth
er > info, but that could be completely wrong, You have it backwards. TUN sends L3 based packets, white TAP sends L2 packets, which also includes L3 data. So TUN will _reduce_ the overhead compared to TAP. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG

Re: [Openvpn-users] separate config directories for Windows client

2016-02-23 Thread David Sommerseth
It wouldn't accept that. >> > try using double backslashes and escape spaces: > --connect "c:\\program\ files\\openvpn\\config\\config1\\config1.ovpn" > > or use > --connect "c:/program files/openvpn/config/config1/config1.ovpn" --connect!? Not --config

Re: [Openvpn-users] Openvpn.net Wserver error !

2016-01-22 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22/01/16 14:44, debbie...@gmail.com wrote: > FYI: There appears to be something badly wrong with > https://community.openvpn.net/openvpn/wiki/TitleIndex > Fixed. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE

Re: [Openvpn-users] Can't start server, no output

2016-04-03 Thread David Sommerseth
unless you want OpenVPN to bind to a single IP address only. On the server side, not using 'local' means it will bind to 0.0.0.0 ("all configured IP addresses"). If using udp6 or tcp6 without 'local', it will also bind to all configured IPv4 and IPv6 addresses. -- kind regards

Re: [Openvpn-users] Server Script Execution Order

2016-04-25 Thread David Sommerseth
does much of what you seem to want. The only thing it is missing officially is LDAP support. I have started looking into LDAP authentication, but pulling firewall configs from LDAP is not currently covered (but not impossible). [1] http://ww

Re: [Openvpn-users] OpenVPN and IPTables

2016-05-19 Thread David Sommerseth
leges etc). -- kind regards, David Sommerseth > On Thu, May 19, 2016 at 10:50 AM, David Sommerseth > <open...@sf.lists.topphemmelig.net > <mailto:open...@sf.lists.topphemmelig.net>> wrote: > > On 18/05/16 18:28, Scott Crooks wrote: >> Greetings, > >> In order

Re: [Openvpn-users] Segmentation Fault

2016-07-08 Thread David Sommerseth
b and the backtrace can be captured afterwards. Without a backtrace it is nearly impossible to understand why it crashes. Most likely it is related to a NULL pointer, but which pointer will be plain guesswork which mostly would be a lot of wasted time. -- kind regards, David Sommerseth

Re: [Openvpn-users] [openvpn-users] client user/pass timeout ?

2016-06-30 Thread David Sommerseth
ling to wait forever for a user to respond. But systemd-ask-password have it's own timeout mechanism which might kick in. I'll admit though that we might not handle these timeouts from systemd-ask-password gracefully enough. -- kind regards, David Sommerseth ---

Re: [Openvpn-users] DNS leak under Debian Testing

2017-02-08 Thread David Sommerseth
s if you use --user/--group in your OpenVPN config, then you must run the client.down script via the down-root plugin - otherwise the resolv.conf file is not restored properly. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature --

Re: [Openvpn-users] openvpn 2.4.0 and cipher negotiation with older clients

2017-01-24 Thread David Sommerseth
gs and lots of other places, my gut feeling is that OCC itself shouldn't increase the build size as much as the complete --enable-small option does. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digita

Re: [Openvpn-users] Updating rules while user connected

2017-01-20 Thread David Sommerseth
ent-notes.txt might be a good thing... I'll give it a shot soonish. > David, > I think you understand the management interface on the server side best Ouch ... ;-) > - > is anything else missing there?) In regards to client-kill, I don't think so. But if starting to fine-read the source code,

Re: [Openvpn-users] Clarification on auth-gen-token and 2FA

2017-01-27 Thread David Sommerseth
On 27/01/17 08:27, Gert Doering wrote: > Hi, > > On Fri, Jan 27, 2017 at 12:02:21AM +0100, David Sommerseth wrote: >> On 26/01/17 19:45, Gert Doering wrote: >>> On Thu, Jan 26, 2017 at 07:36:32PM +0100, David Sommerseth wrote: >>>> Anyhow ... quick-fix/

Re: [Openvpn-users] DNS leak under Debian Testing

2017-02-10 Thread David Sommerseth
On 09/02/17 13:01, Matthias Müller wrote: > Hi David, > > On 08/02/17 13:52, David Sommerseth wrote: >> You need to check what the resolvconf script on your computer does, and >> if there is a way to configure it to behave differently. >> >> Otherwise, you

Re: [Openvpn-users] Correct use of ncp-ciphers/ncp-disable for the data channel cipher

2017-02-16 Thread David Sommerseth
ers the SSL libraries OpenVPN is built against supports. I hope this clarified more than adding more confusion :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -

Re: [Openvpn-users] Correct use of ncp-ciphers/ncp-disable for the data channel cipher

2017-02-16 Thread David Sommerseth
On 16/02/17 18:58, Gert Doering wrote: > Hi, > > On Thu, Feb 16, 2017 at 02:44:13PM +0100, David Sommerseth wrote: >> A v2.4 (and newer) client which adds --ncp-ciphers can steer which >> ciphers a NCP capable server will use. So if the server uses >> --ncp-ciphers

Re: [Openvpn-users] 答复: 答复: Openvpn hangs on Hardware acceleration

2017-01-17 Thread David Sommerseth
GS When OpenVPN hangs, hit CTRL-C and then on the gdb command prompt: (gdb) bt This will list out a backtrace of where OpenVPN was when you hit CTRL-C. No need to complicate things with additional debug code, especially when it isn't easy to know where to add this debug code in the beginning

Re: [Openvpn-users] Updating rules while user connected

2017-01-19 Thread David Sommerseth
re really worth considering though - most likely this one as well. So, try the "lo-tech" variant first and see if that works well enough. -- kind regards, David Sommerseth signature.asc Descripti

Re: [Openvpn-users] Add a directly connected route

2016-08-18 Thread David Sommerseth
re are far easier ways to accomplish that. -- kind regards, David Sommerseth -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Add a directly connected route

2016-08-18 Thread David Sommerseth
s on the tun interface. As it is quite seldom I hear about such requirements, can you elaborate why you need the VPN client to have a public IP address? I just need to understand your use-case better. -- kind regards, Davi

Re: [Openvpn-users] Questions / help on setting up Openvpn

2016-10-26 Thread David Sommerseth
lp here on this ML, on the forums and on the #openvpn IRC channel on FreeNode. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- The Command Line: Reinvented for Modern Developers

Re: [Openvpn-users] Recently started IP/DNS leak?

2016-10-31 Thread David Sommerseth
On 31/10/16 12:40, ooo...@mailbox.org wrote: > UDP, AES-256-CBC... does that help? Thanks No. That just indicates which protocol you connect using, and AES-256-CBC is just the crypto algorithm used for your tunnelled data. -- kind regards, David Sommerseth > > On 31 October 2

Re: [Openvpn-users] --port-share and Fail2ban

2016-10-11 Thread David Sommerseth
-share feature does also not add any HTTP headers (X-Forwarded-For), as that would mean it would OpenVPN would need to decrypt https connections, add the HTTP header and encrypt it again. Meaning OpenVPN would be a MITM. So OpenVPN just forwards all non-OpenVPN packets to the configured host and port.

Re: [Openvpn-users] Can I preserve the tun device from being deleted on the client side after the connection was closed or the server side is unavailable?

2016-10-16 Thread David Sommerseth
quite well on Linux, especially when you want to use it for OpenVPN tasks. Otherwise there is tunctl which can be used to create tun/tap devices which can also set a few more advanced options, which generally do not make much of

Re: [Openvpn-users] source code of a licensed version

2016-12-08 Thread David Sommerseth
-devel on FreeNode and we can discuss what you need to consider when implementing FIPS mode to be accepted upstream. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Developer

Re: [Openvpn-users] Recommendations for maximum cryptographic security

2016-12-14 Thread David Sommerseth
hannel. (But EC certificates goes further than just ECDHE and AES-256-GCM) For more on the deeper crypto details, I'll leave that to Steffan as he understands all of this far better. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Desc

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

2016-12-15 Thread David Sommerseth
ink_unicorn.coolness ... and it'll still work. The important detail is that the "-BEGIN CERTIFICATE--" header and the corresponding footer is intact, as well as the "random" characters in between. -- kind regards, David Sommerseth signature.asc Description: OpenPGP di

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

2016-12-15 Thread David Sommerseth
lly close releasing v2.4. I'll probably wrap up the 2.4_rc2 later today - ready for a public release during tomorrow, and the final v2.4.0 release is scheduled for Dec 28th [1] unless something really odd and unexpected is showing up. But it has to be a real blocker issue, not a silly uncritical

Re: [Openvpn-users] Fwd: Re: Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

2016-12-15 Thread David Sommerseth
se different values, otherwise you will see "packet HMAC authentication failed" errors in the log. If server uses 0, the client must use 1 ... or vice versa. In this mode, the client and server uses different sub-keys from ta.key. -- kind regards, David Somme

Re: [Openvpn-users] Recommendations for maximum cryptographic security

2016-12-15 Thread David Sommerseth
is the most critical one, as the traffic between your VPN server/clients can be sniffed up on networks out of your control. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check ou

Re: [Openvpn-users] Fwd: Re: Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

2016-12-15 Thread David Sommerseth
If the HMAC signature in the UDP packet doesn't make sense, the packet is dropped instantly. (With TCP as transport, it is different as the SYN/ACK handshake needs to complete before you can start to send packets over the wire) -- kind regards, David Sommerseth OpenVPN Technologies, Inc >

Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"

2016-12-17 Thread David Sommerseth
.4, which will help. The v2.4 man page carries the gory details too. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's

Re: [Openvpn-users] Enable FIPS encryption

2016-12-02 Thread David Sommerseth
//www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13382.html> -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech communi

Re: [Openvpn-users] RANDFILE (defined in openssl-1.0.cnf) dones't take affect

2017-01-04 Thread David Sommerseth
hed, but it is at least theoretically possible - and with time such memory dump analysis will only get simpler with improved tools) Just remember that the predictability of random numbers simplifies cracking encryption keys. <http://dilbert.com/strip/2001-10-25> <https://www.xkcd.co

Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking

2016-12-21 Thread David Sommerseth
e developers to write such mangling plug-in modules. But the plan is to provide an API for it. As I've worked a lot with the --plugin interface, I do have some interest in enabling such an API. Hopefully I can manage to get something ready for the next major OpenVPN release. -- kind regards, Davi

  1   2   3   >