initialisiert. Fehler werden in der
Ereignisanzeige in 15 Minuten aufgefhrt.
Fri May 24 12:10:24 2013 End net commands...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm
--version'
dir='C:\Users\Acer\Documents\Wichtige Dokumente\Charite\OpenVPN\bin'
and an OK button on the bottom right.
Problem: Even upon reinstallation with correct (default) paths, the
error message above tends to stick.
Where is that path stored? How can I fix this?
--
Ralf
.x, and probably never will, because it might cause other issues
which we don't want in stable releases. It will be bundled with the
upcoming OpenVPN 2.4 installers, though.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin
.
Have you some information about this problem ?
Is it also in a recent version of openvpn?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
I installed openvpn to a wrong folder, then I reinstalled and
installed it to the correct folder. Now I'm getting:
CreateProcess failed, exe=’D:\Lukas\Apps\personalVPN\bin\openvpn.exe’
cmdline=’openvpn—version’ dir=’D:\Lukas\Apps\personalVPN\bin’
How can that be fixed?
--
Ralf Hildebrandt
you can fix this by either removing OpenVPN-GUI's registry keys
and running OpenVPN-GUI (as an admin), or by changing the value of the
registry key which tells OpenVPN-GUI where to look for openvpn.exe.
Which keys are those?
--
Ralf Hildebrandt Charite Universitätsmedizin
anyway, and where...?
Who's changingthe paths and why? I hate my users. And I hate Windows 8.1!
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Which keys are those?
Look into HKEY_LOCAL_MACHINE\Software\OpenVPN-GUI. The registry key
names are self-explanatory.
Indeed. It was very simple. I deleted the whole
HKEY_LOCAL_MACHINE\Software\OpenVPN-GUI subtree
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
is
being logged on the client side (!).
After some time the server notices that the client went missing.
* clicking on reconnect in the status window on the client makes the
connection work for another 4 minutes.
Any ideas on that one?
--
Ralf Hildebrandt Charite
EM!!!"
> - otherwise some testers reported DNS latencies in the first few minutes
> of VPN usage.
A side issue there with register-dns:
https://community.openvpn.net/openvpn/ticket/570
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCamp
> , then confirm installation into tunnelblick"
> - this is the level of users we're dealing with.
Same here.
> They wouldn't know about "files" and "move to correct directory,
> replacing the file that is already there"...
Same here.
--
Ralf Hildebrandt
to my users all the time.
I wonder if the installer could be "universal" (meaning it could
contain both 32 and 64 bit versions and choose the correct arch
automatically).
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCamp
* Selva Nair <selva.n...@gmail.com>:
> manifest, but personally I think that's too invasive as there could be
> legitimate users who do not need to set routes, for example.
You mean a bridged VPN (TAP?)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
r
me up with a
> final installer!" and is sufficiently... $insertpoliteword that is not
> easy to extend.
>
> But then, it's not mine anyway, maybe Samuli likes this idea so much... :-)
Unlikely :)
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra
* debbie...@gmail.com <debbie...@gmail.com>:
> FYI:
> There appears to be something badly wrong with
> https://community.openvpn.net/openvpn/wiki/TitleIndex
...
Welcome to the wonderful world of wiki spam
--
Ralf Hildebrandt Charite Universitätsmedizin Berli
I found this
https://www.lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story
Is setting sndbuf/rcvbuf really a good solution?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de
* Samuli Seppänen <sam...@openvpn.net>:
> Hi,
>
> Should we have a separate apt repository for "unstable" apt packages?
Yes please. Do have a look at how dovecot does it:
http://wiki2.dovecot.org/PrebuiltBinaries#Debian
there is "stable"
e fatal errors.
If I was able to make "register-dns" and "block-outside-dns" entirely
optional (on OS X / Linux), I'd have a "clean" log.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Frankli
> I agree with Selva that it would be a good idea to standardize "echo"
> commands, so I will start a new thread about that.
I totally agree.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjami
O decompression
header byte: 251
Nov 17 13:42:05 openvpn udp[23345]: hildeb/10.31.111.66 Bad LZO decompression
header byte: 251
Nov 17 13:42:05 openvpn udp[23345]: hildeb/10.31.111.66 Bad LZO decompression
header byte: 251
I'm using openvpn for mac (2.4.4)...
--
Ralf Hildebrandt
* Jonathan K. Bullard <jkbull...@gmail.com>:
> Hi,
>
> On Thu, Nov 16, 2017 at 5:45 AM, Ralf Hildebrandt
> <ralf.hildebra...@charite.de> wrote:
> > * Jan Just Keijser <janj...@nikhef.nl>:
> >
> >> yes, pretty much: all clients that have 'comp-
lse
> echo "Enabling LZO compression for client $common_name"
> echo "comp-lzo" >> $1
> echo "push \"comp-lzo\"" >> $1
> fi
Awesome.
I'll try this.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ra
* Jonathan K. Bullard <jkbull...@gmail.com>:
> Hi,
>
> On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt
> <ralf.hildebra...@charite.de> wrote:
> > My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
> > some Linux users (mainyly using
My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
users.
Is there any way for me to display informational messages on the
users's computer when they're loggin in via VPN?
--
Ralf Hildebrandt
utside the VPN tunnel with --udp. Does that
> give different results?
Beware, UDP is limited to 1 Mbit in iperf ("default 1 Mbit/sec for
UDP, unlimited for TCP"), thus:
iperf3 --udp --bandwidth 200M -c 172.31.254.1
Also, check CPU on both machines to see if you'r
n DNS dynamically", VPN would work as
expected.
openvpn did not log anything regaring the DNS server (I do know that
the Mac OS Tunnelblick VPN client issues a warning in that case).
Is this intentional?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@
Sv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
1617 TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
17756 TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.de
on the fly - for every
client?
How would I push an "empty" compression parameter?
Is this feasible at all?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de
* Ralf Hildebrandt :
> In the end I resorted to this:
>
> if ($version =~ "2\.3\.") {
>push @outline, 'compress lzo';
>push @outline, 'push "compress lzo"';
> }
> else {
>push @outline, 'compress';
>push @outline, 'push &quo
ng rules, both on the box itself and in the core network.
UDP or TCP? We're also seeing this a lot, especially with some DSL
providers having issues with UDP traffic...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin
6.54"
How does the client use openvpn? Via NetworkManager or via the command
line. I guess the latter.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 1220
* Stefanie Leisestreichler :
> Thu Mar 14 14:46:48 2019 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
> Thu Mar 14 14:47:48 2019 TLS Error: TLS key negotiation failed to occur
> within 60 seconds (check your network connectivity)
That could be a firewall or routing issue.
--
Ralf Hi
or '185.200.118.0 - 185.200.118.255' is 'ab...@m247.ro'
https://www.m247.ro/en/
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Gesc
I found this:
https://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
an now I wonder if these recommendations (still) make sense.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https
if we could manage to get it into the
> 2.5 release.
I totally support this. Sopme of my users are having a hard time
installing the "normal" driver, so Wintun is a welcome alternative.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Camp
since the man page of the "normal" openvpn
doesn't list "windows-driver" -- so I was unsure if it's
a) windows-specific
b) 2.5-specific.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum
* Lev Stipakov :
> To use Wintun driver instead of tap-window6, add "windows-driver wintun"
> to your VPN profile.
"VPN profile"? Do you mean "in the config file"?
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
* Gert Doering :
> Hi,
>
> On Mon, Jan 27, 2020 at 04:40:10PM +0100, Ralf Hildebrandt wrote:
> > How can I easily redirect script stderr/stdout while in daemon mode?
> >
> > I have a --auth-user-pass-verify script which (in some odd cases)
> > exits with exit s
How can I easily redirect script stderr/stdout while in daemon mode?
I have a --auth-user-pass-verify script which (in some odd cases)
exits with exit status 255 and I cannot fathom why.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus
current installation
faulty/non working" - while it's working perfectly.
For over a year we're sending out config files which don't trigger the
warning, but people still use the old files - and a new Tunnelblick,
since (thank Lord!) it auto updates!
--
Ralf Hildebrandt
Charité
* Dajka Tamás :
> Yes (given he/she can access the proxy through the VPN - the defgw is pushed
> also)
>
> PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos
> needed - standard format.
Same as here; I don't think there's a way :/
Ralf Hild
gt; will be a problem if you distribute the same configuration file(s) for
> users of all platforms.
That is what we currently do, but if your method has advantages, we
can maybe generate MAC-Specific files.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung
it work as a DHCP option?
You want a user to establish a VPN connection and the "use" the pushed
PROXY_AUTO_CONFIG_URL in his/her browser?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Ra
ser can simply double click a
> ovpn extension file and it will prompt to load the configuration.
I do agree an "import on double click" would benefit the average
reading-impaired user (we have those, lots!)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Ab
igned
> > Authenticode = cross-signed
>
>
> Sorry, I don't know much about NSIS operation: is tap-windows6 driver
> included in the openvpn-install-2.4.8-i602-Win10.exe installer?
Blasphemic question: Why is a win7 driver included in
"openvpn-install-2.4.8-i602-Win10.
* mich...@fritscher.net :
> Am 2020-03-30 17:14, schrieb Ralf Hildebrandt:
> > Did that just now, along with some screenshots.
>
> Which were scrubed from the mailinglist software it seems...
I sent them to him, not the list (as requested)
Ralf Hildebrandt
Charité - Universität
hat, it is hardly ever required to set
> it on a client, unless that client is forwarding traffic for a client-side
> lan
The idea was to use "--passtos" since we're using skypeforBusiness on
the clients.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT
> Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
> some of the affected computers? Or just the part of it which describes
> the failed tap-windows6 installation (rather easy to find).
Did that just now, along with some screenshots.
Ralf Hildebrand
Does the passtos option need to be set BOTH on the server and client?
If so, can I "push" the option to the client?
We're mostly using Windows (2.4.2 and up) & Mac Clients (Tunnelblick)
-- are their openvpn implementations handling this option at all?
Ralf Hilde
setupapi.dev.log files from both of the
> machines if that would be helpful.
Definitely. I sent my copy to Samuli. I also have the setupapi.dev.log
after installation and after the installation of the alternative TAP32
driver. Maybe the diff can be helpful.
Ralf Hildebrandt
Charité - Univers
!
If this is a know issue -- could we get a recent version of openvpn with
a TAP32 driver that actually works on Win10? Or can we simply
recommend installing 2.4.7 instead (and hope the driver bundled is
9.23.3)?
It doesn't seem to happen with all Win10 installations, though.
--
Ralf Hildebrandt
Charité
What are the current "state of the art" settings for cipher & auth?
My current gateway is using:
cipher AES-256-CBC
auth SHA256
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
SHA256
dh none
ecdh-curve secp384r1
like on https://www.privacy-handbuch.de/handbuch_97a.htm ?
> And, if all your systems are 2.4+ and you do not change --ncp-disable or
> --ncp-ciphers, is what you get automatically anyway. :-)
Which they are not :( The IGEL
the key-direction / tls-auth statements in respect to the
blocks?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildeb
y in effect... Using 2.4.9-bionic0 from Ubuntu. And yes, the
process had been starded after the config change was made.
Could it be that this option is not working?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus
would totally disable DNS Caching, yes.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
h
ot;, how can the client expect to resolve
".foo.bar.gov" at all?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 5
ntly (we talked about this)
link-mtu used inconsistenly (dunno what to do about this)
WARNING: 'cipher' is used inconsistently, but I have a more recent config for
that.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I
-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
auth SHA256
and the client config says:
cipher AES-256-CBC
auth SHA256
As far as I can see "auth SHA256" is used consistently.
So why does it report "auth [null-digest]"?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbe
* Ralf Hildebrandt :
> As far as I can see "auth SHA256" is used consistently.
> So why does it report "auth [null-digest]"?
tl;dr: client and server negotiate a GCM (Galois/Counter Mode) cipher
(AES-GCM), and those ciphers includes a HMAC, thus the specified AU
to prevent MORE clients on machine 2?
I could return AUTH_FAILED, but that would irritate the users, since
their clients would ask for a (new) password.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG
t so.
> (Maybe I'm all wrong and there is a way to send RESTART from plugin
> or scripts, and I just don't know it yet)
That would rock.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 1
s just fine
Even UDP clients?
> and limit amount of backend connections, haproxy can work if you don't need
> UDP
> traffic,
We're using UDP...
> LVS does not works as expected with UDP balancing.
That would have been my initial choice
Ralf Hildebrandt
Charité - Universitätsm
> Use 2.5, which has asynchronous (deferred) client-connect scripts.
Are there any changes needed for that in the config / on the script
side of things?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1.
:627548 t=1615815597[0] r=[-2,64,15,92,1] sl=[8,64,64,528]
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
: 2048 bit
RSA, signature: RSA-SHA256
Right now I'm correlating using field #5 (IP:Port), but is there an easier way?
Is the TLS version in any environment variable so I can log it using a
client-connect or learn script?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich
appeared.
Use https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebr
&
openvpn process?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://
ok at how other people do it...
Thanks for the quick response!
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@c
NM has more issues. E.g. it is unable to import configs with multiple
connection blocks.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hil
possible to prevent the details of
> IFACE and HWADDR from being transmitted to my VPN provider?
Are they REALLY transmitted to your VPN provider?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Rau
e.ss:49786 peer info: IV_COMP_STUBv2=1
ip.add.re.ss:49786 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
ip.add.re.ss:49786 peer info: IV_SSO=openurl
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1
VPN
> provider. As a connection is being made, many lines of text flash
> across the terminal. Please tell me if the lines of text that I see
> belong to the server's log?
No, that's your client's log.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung N
I want to trasition from an old, internal CA (easyrsa) to a new,
internal CA (also easyrsa).
But how do I do this? Can I make openvpn accept client certificates
from two CAs (the old and the new one)?
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
* Bo Berglund :
> On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt
> wrote:
>
> >But how do I do this? Can I make openvpn accept client certificates
> >from two CAs (the old and the new one)?
>
> Why using a new certificate?
I need a new CA due to the german
vironment, I'd suggest a
> type 1 hypervisor. ESXi 6.x Free is a good choice and I've run many
> OpenVPN installs on it with good results,
Thanks.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum
) sessions.
Are there tuning tips regarding this particular setup (or openvpnm on
virtualized hardware), of is virtualbox merely a poor choice :)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
openvpn2019 udp[703]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
your openssl
> library does NOT use hardware crypto.
10 times faster - thanks1
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebr
then reinstalled a more recent version (5.2.0.454) and we were
still able to connect with the proper bandwidths.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Ber
, 644Mbit/s) but
only 0.76Mbit/s upstream.
Tried different servers: same problem. With TCP all is well, with UDP
upload sucks.
Disabling DCO: both with TCP and UDP all is well.
So it's some sort of DCO issue -- but only with UDP. Any ideas how we
could examine it further?
--
Ralf Hildebrandt
Charité
, but currently I have no elevated privileges on that
machine.
> Does it reproduce on different client machines?
Not sure yet.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgd
incompatible with DCO"
> or so. Arne?
We totally agree. Although the authentication went OK the user is
greeted with a "re-enter your password"
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus
his matter? Is the tun0 interface taken down too
early? Should I even care?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ral
C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT,
CN=openvpn.charite.de, emailAddress=v...@charite.de" subject
remote-cert-eku "TLS Web Server Authentication"
persist-key
persist-tun
verb 3
reneg-sec 0
auth-user-pass up
auth-nocache
script-security 2
mute-replay-warnings
tls
Did I miss the 2.6.1 announcement? It was released on the 8th, but no
announcement it seems.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30
* Gert Doering :
> On Fri, Mar 10, 2023 at 04:32:37PM +0100, Ralf Hildebrandt via Openvpn-users
> wrote:
> > Now we checked this on our different ubuntu machines and found that
> > openvpn (from the official build repos)
> >
> > on focal: had no DCO
> >
the
development package and pkg-config installed? Must be version 3.4.0 or newer
for DCO])
]
)
According to this, 3.4.0 should suffice!
So maybe the build process for the packages on
https://swupdate.openvpn.net/repos/ is lacking a few build dependencies?
--
Ralf Hildebrandt
Cha
> As far as I understand, 2.6.2 .deb for focal should also be compiled
> "with DCO enabled" now.
Yep!
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30
ervatory.com)
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://ww
were pushing
"compress" to 2.6 clients. But how can I check what the client is
willing to support?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203
* Gert Doering :
> What they need to do is to enable "compression migrate" on the server
> side, and stop unconditionally pushing "comp-lzo no" to clients that
> are not signalling that they can handle this.
Ah THAT's what we need to use :)
--
Ralf Hildebrandt
rver using TCP or Udp?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
h
e
> nobind
> persist-key
> persist-tun
> verb 4
> remote-cert-tls server
> ping 10
> ping-restart 60
> sndbuf 524288
> rcvbuf 524288
> cipher AES-256-CBC
> --disable-dco
Shouldn't "--disable-dco" rather be "disable-dco" when used inside a
con
Xtio
AAIAE/ocFw0yMzA1MjUxMDQ1MDdaMCQCE3UAE/XD/f6IxZwK1TYAAgAT9cMXDTIz
MDUxMTE0NDExMFowJAITdQAT9b5x61pgDNs5sAACABP1vhcNMjMwNTExMTQzMTA3
WjAkAhN1ABPGOjUNAfEgY+NpAAIAE8Y6Fw0yMzA1MDIxMjQzMTBaMCQCE3UACSQU
9jcP9JJ5w1QAAgAJJBQXDTIzMDQxODA4NDkwN1owJAITdQATVmp1bLU8d2yhOwAC
What's wrong here?
--
Ralf H
* Jonny Oschätzky via Openvpn-users :
> On 17.06.23 14:37, Ralf Hildebrandt via Openvpn-users wrote:
> > Attached is the actual crl file in PEM format.
>
> My OpenVPN (Debian 12) does not complain about your crl.
>
> Jun 17 15:17:05 tenebris openvpn[3094334]: Diffi
* Jonny Oschätzky via Openvpn-users :
> On Tuesday, 13 June 2023 10:16:36 CEST Ralf Hildebrandt via Openvpn-users
> wrote:
>
> > routines:get_name:no start line Jun 13 03:06:23 openvpn-igel-int
> > tcp[452155]: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem
>
&g
d then there is
> something more, which confuses OpenSSL - but not enough to reject the
> session.
Attached is the actual crl file in PEM format.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG
the devices of userA the same token.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://w
[29574]:
hildeb/10.31.192.115:55334 TLS Auth Error: Auth Username/Password verification
failed for peer
What do we have to do to make the server accept the the
auth-token-user it pushed to the client?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz
1 - 100 of 106 matches
Mail list logo
