OpenVPN

hi,

I would need some advice.
My configuration is the following:
- one pc at work, static and routable IP, W.W.W.GATE, behind a firewall with one
UDP port open
- one laptop with:
  - static IP at work W.W.W.Laptop that uses NFS, Flexlm, etc...
  - dhcp (192.168.0.2) at home behind a small DSL router (192.168.0.1, DSL D.D.D.1)

I would like the laptop at home appear like if it was at work (NFS, Flexlm, etc)
using the same IP number. I just need the link for one machine. 

I have recompiled the kernel on both sides to have tun, bridge, netfilter and
installed openvpn, bridge-utils and iptable. I can establish a connection using
openvpn (e.g. 10.0.0.1 to 10.0.0.2) between the two machines.
I have only one IP number (W.W.W.Laptop) for the laptop and one for the work
machine (W.W.W.Gate). (we are pretty tight on IP numbers right now).

I have read the documentation, including the bridge mini-howto, but (obviously)
I don't understand everything.

Question: what would be the simplest way to get it working? Would bridge work
(limitation of only one IP available)? Any other solution (with masquerade only?)?

This may not be the right place to ask for the question (not openvpn specific)
but any help would be really appreciated.
Thanks
philippe

Best Regards
  Ouyang Kai

Does anybody else is having bounces from the sourceforge maillist with a
"domain not found" reply from the MTA?

Thanks,

RSalles


--=20
"A well-written program is its own heaven; a poorly-written program is it=
s
own hell."
TAO of Programming - Book 4

Hi,

Firstly this is a great package to use quickly, I was able
to compile and install and get a tunnel working in 30
mins (after wading through the options etc etc). In
order to test the package and prove to myself that I
can use this for the final target environment of allowing
VPN over the internet for our intranet access etc, I
started a small experiment..


I have a network with 192.168.1.0/24 as the local
ethernet. The linux server is 192.168.1.1 and has eth0
as the local ethernet interface. The linux server is
connected to an adsl router by the interface eth1, and
ip address 192.168.0.2, the router is 192.168.0.1.

On linux, I have shorewall implementing a very restricted
firewall and masquerading eth0 over eth1. i.e. allowing
http access for the local net through the router.

Firstly what I did was to try and implement a tunnel
between the linux server and my XP machine (gotta use
it for dev :-( ). This went off smoothly, I had the tunnel
between my xp machine and the linux server over the
ethernet as 192.168.2.2 (xp) <-> 192.168.2.1 (linux). I
was able to ping both end points and there were no
problems.

The problems occur when I try to masq. tun0 over eth1.
Apparently all the configuration is okay (maybe), but the
connections never succeed (there is no response).
Falling back to getting the basics working, I have tried
ping to a static ip address (say 202.54.xxx.xxx) this
works over the ethernet and masq. But when I set the
route on the xp machine to use the tunnel interface the
packets seemed to go into a black hole.

I then started tracing the packets using tcpdump. The
packets were coming through tun0 on the linux machine
fine. The packets (icmp) were being accepted by
shorewall fine (ACCEPT:info). They were being forwarded
onto the eth1 interface too. But at this point I found
some strange messages.

arp who-has 192.168.2.2 tell 192.168.0.1

(I have verified that when browsing through the
ethernet this is a common occurrence followed by an
arp-reply)

But in this case there was no arp reply. My guess is that
the icmp reply is coming back to the router but it doesnt
know where to send it ??

How can I solve this (I am sure its a very small trick).

ADDITIONAL NOTE:

I have reason to believe this has got more to do with MASQUERADING since
the outgoing address from the linux box is 192.168.2.2 instead of 
masquerading as 192.168.0.1 as is being done on eth0 ??


Your help is much appreciated
Regards
Kak

_________________________________________________________________
Make glass paintings? Are you a good artist? 
http://server1.msn.co.in/features/general/diwali.asp Sell your Diwlai 
creations online.

Karthik S <talk2sk@...> said:

> Hi,
> 
> Firstly this is a great package to use quickly, I was able
> to compile and install and get a tunnel working in 30
> mins (after wading through the options etc etc). In
> order to test the package and prove to myself that I
> can use this for the final target environment of allowing
> VPN over the internet for our intranet access etc, I
> started a small experiment..
> 
> 
> I have a network with 192.168.1.0/24 as the local
> ethernet. The linux server is 192.168.1.1 and has eth0
> as the local ethernet interface. The linux server is
> connected to an adsl router by the interface eth1, and
> ip address 192.168.0.2, the router is 192.168.0.1.
> 
> On linux, I have shorewall implementing a very restricted
> firewall and masquerading eth0 over eth1. i.e. allowing
> http access for the local net through the router.
> 
> Firstly what I did was to try and implement a tunnel
> between the linux server and my XP machine (gotta use
> it for dev :-( ). This went off smoothly, I had the tunnel
> between my xp machine and the linux server over the
> ethernet as 192.168.2.2 (xp) <-> 192.168.2.1 (linux). I
> was able to ping both end points and there were no
> problems.
> 
> The problems occur when I try to masq. tun0 over eth1.
> Apparently all the configuration is okay (maybe), but the
> connections never succeed (there is no response).
> Falling back to getting the basics working, I have tried
> ping to a static ip address (say 202.54.xxx.xxx) this
> works over the ethernet and masq. But when I set the
> route on the xp machine to use the tunnel interface the
> packets seemed to go into a black hole.
> 
> I then started tracing the packets using tcpdump. The
> packets were coming through tun0 on the linux machine
> fine. The packets (icmp) were being accepted by
> shorewall fine (ACCEPT:info). They were being forwarded
> onto the eth1 interface too. But at this point I found
> some strange messages.
> 
> arp who-has 192.168.2.2 tell 192.168.0.1
> 
> (I have verified that when browsing through the
> ethernet this is a common occurrence followed by an
> arp-reply)
> 
> But in this case there was no arp reply. My guess is that
> the icmp reply is coming back to the router but it doesnt
> know where to send it ??
> 
> How can I solve this (I am sure its a very small trick).
> 
> ADDITIONAL NOTE:
> 
> I have reason to believe this has got more to do with MASQUERADING since
> the outgoing address from the linux box is 192.168.2.2 instead of 
> masquerading as 192.168.0.1 as is being done on eth0 ??

If you are masquerading tun0 over eth1, you want something like this:

# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Masquerade local subnets
iptables -t nat -A POSTROUTING -s $PRIVATE1 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $PRIVATE2 -o eth0 -j MASQUERADE

In your case substitute eth1 for eth0 and set $PRIVATE1 and/or $PRIVATE2 to
the private addresses of clients on the other end of tun0.

What you will essentially be doing is providing a first hop from client to
server via OpenVPN for such things as web traffic, which will then be
masqueraded out to the internet using the server's public IP address (i.e.
eth1).  This lets you lock down the client so that all traffic goes through
the VPN, even internet-bound traffic such as web browsing.

James

T24gVHVlLCAyMDA0LTAxLTEzIGF0IDE2OjEwLCBKb2huIExvY2tlIHdyb3RlOg0KPiBXZWxsLCBJ
IGNhbid0IHNwZWFrIHRvIHRoZSBwcm9ibGVtcyB5b3UgYW5kIE1pa2UgYXJlIGV4cGVyaWVuY2lu
ZywNCj4gdHJ5aW5nIHRvIGRvdWJsZS1icmlkZ2UgeW91ciBuZXR3b3JrcywgYnV0IGl0IHN0cmlr
ZXMgbWUgYXMgYSBiYWQgaWRlYQ0KPiBmb3Igb25lIHBhcnRpY3VsYXIgcmVhc29uOiB5b3UncmUg
bWFraW5nIHlvdXIgTGludXggYm94ZXMgYWN0IGxpa2UgYQ0KPiBodWIsIGluc3RlYWQgb2YgYSBz
d2l0Y2guIElmIEkgdW5kZXJzdGFuZCB0aGUgd2F5IGJyaWRnaW5nIHdvcmtzDQo+IGNvcnJlY3Rs
eSwgYWxsIHBhY2tldHMgdGhhdCB0cmF2ZXJzZSBhbnkgYnJpZGdlZCBpbnRlcmZhY2UgZ2V0cyBz
ZW50IHRvDQo+IGFsbCBvZiB0aGUgb3RoZXIgaW50ZXJmYWNlcyBvbiB0aGUgYnJpZGdlLg0KDQo+
QXMgZmFyIGFzIEkgdW5kZXJzdGFuZCBMaW51eCBicmlkZ2luZywgaXQgbWFrZXMgdGhlIGJveGVz
IGFjdCBsaWtlDQo+c3dpdGNoZXMsIG5vdCBodWJzLiAgV2hlbiB5b3UgYnJpbmcgYSBicmlkZ2Ug
b25saW5lLCBwYWNrZXRzIGFyZSBkcm9wcGVkDQo+aW50byBhIGhvbGUgZm9yIGEgbGl0dGxlIHdo
aWxlIHVudGlsIHRoZSBicmlkZ2luZyBjb2RlIGdldHMgYSBmZWVsIGZvcg0KPnRoZSBuZXR3b3Jr
IHRvcG9sb2d5IGl0IGhhcyBiZWVuIGRyb3BwZWQgaW4gdG8sIGFuZCBjYW4gcm91dGUgcGFja2V0
cw0KPmFwcHJvcHJpYXRlbHkuIA0KDQo+IFRoYXQgbWVhbnMgdGhhdCB3aGVuZXZlciB5b3UgY29u
bmVjdCB0byB5b3VyIGxvY2FsIExpbnV4IGdhdGV3YXksIGl0J3MNCj4gc2VuZGluZyB0cmFmZmlj
IHRocm91Z2ggdGhlIHR1bm5lbCwgZXZlbiBpZiBpdCdzIHRoZSBkZXN0aW5hdGlvbi4NCj4gUmVn
YXJkbGVzcyBvZiB3aGV0aGVyIHlvdSBnZXQgaXQgdG8gd29yayBjb3JyZWN0bHksIHRoaXMgc2Vl
bXMgbGlrZSBpdA0KPiB3b3VsZCBjYXVzZSBzdWJzdGFudGlhbCBwZXJmb3JtYW5jZSBwcm9ibGVt
cy4NCg0KPkluZGVlZCBpdCB3b3VsZCwgaWYgdGhhdCB3YXMgaG93IGl0IHdvcmtlZC4uLiBidXQg
SSdtIHJlbGF0aXZlbHkgY2VydGFpbg0KPml0IGlzIHNtYXJ0ZXIgdGhhbiB0aGF0LiAgUGVyaGFw
cyBzb21lYm9keSBlbHNlIGhlcmUga25vd3MgZm9yIHN1cmU/DQoNCj4gVGhlIHBlcmZvcm1hbmNl
IGhpdCBpc24ndCB0b28gYmFkIHdoZW4geW91J3JlIG9ubHkgYnJpbmdpbmcgb25lIGNvbXB1dGVy
DQo+IGF0IGEgdGltZSBpbnRvIHlvdXIgbmV0d29yayB0aHJvdWdoIGEgYnJpZGdlIChvciBldmVu
IG1hbnkgaW5kaXZpZHVhbA0KPiBlbmRwb2ludHMpLiBCdXQgeW91J3JlIGJyaWRnaW5nIHR3byBu
ZXR3b3JrcyB0byBlYWNoIG90aGVyPyBTZWVtcyBsaWtlDQo+IHlvdSdyZSBnb2luZyB0byBoYXZl
IHByb2JsZW1zLiBZb3UnbGwgaGF2ZSB0byBiZSB2ZXJ5IGNhcmVmdWwgd2l0aCB5b3VyDQo+IElQ
IGFkZHJlc3MgYXNzaWdubWVudHMuDQoNCj5XZSdyZSBhY3R1YWxseSB1dGlsaXppbmcgYSBzaW5n
bGUgREhDUCBzZXJ2ZXIgZm9yIGJvdGggbmV0d29ya3Mgbm93IHRoYXQNCj50aGUgYnJpZGdlIGlz
IGluIHBsYWNlIGFuZCB3b3JraW5nIHByb3Blcmx5OyBubyBJUCBhZGRyZXNzIGNvbmZsaWN0cw0K
PnRoaXMgd2F5LiAgSWYgdGhleSBjb3VsZCBoYXZlIGRvbmUgaXQsIHRoZXkgd291bGQgaGF2ZSBq
dXN0IHJ1biBDQVQ1IHRvDQo+dGhlIHNlY29uZCBsb2NhdGlvbiBhbmQgcGx1Z2dlZCBpdCBpbnRv
IGFub3RoZXIgc3dpdGNoLiAgOi0pDQoNCj4gT2gsIEkgdGhpbmsgSSBzZWUgdGhlIHByb2JsZW0u
IEZyb20gb25lIGVuZCwgeW91J3JlIHVzaW5nIGEgdGFwIGRldmljZQ0KPiB0byBjb25uZWN0IHRv
IGEgYnJpZGdlZCB0YXAgZGV2aWNlIG9uIHRoZSBvdGhlciBlbmQuIFlvdXIgbG9jYWwgdGFwDQo+
IGRldmljZSBlc3NlbnRpYWxseSBnZXRzIGFuIElQIGFkZHJlc3Mgb24gdGhlIHJlbW90ZSBuZXR3
b3JrLiBCdXQgaWYgdGhhdA0KPiBsb2NhbCB0YXAgZGV2aWNlIGlzIGJyaWRnZWQgdG8geW91ciBy
ZWFsIGludGVyZmFjZSwgeW91J3JlIGdvaW5nIHRvIGxvc2UNCj4gdGhlIElQIGFkZHJlc3MgYXNz
aWduZWQgdG8gdGhhdCBpbnRlcmZhY2UsIGFuZCB0aGUgdW5kZXJseWluZyBjb25uZWN0aW9uDQo+
IHdvbid0IHJvdXRlIGNvcnJlY3RseS4NCg0KPlRoYXQgd2FzIGFuIGlzc3VlIGluIHNvbWUgdGVz
dCBzY2VuYXJpb3MsIGJ1dCBpbiB0aGlzIHNldHVwLCBlYWNoIGJveA0KPmhhcyB0d28gcGh5c2lj
YWwgaW50ZXJmYWNlczsgdGhlIExBTiBldGhlcm5ldCBwb3J0IChldGgwKSBhbmQgdGhlIFQxDQo+
Y29ubmVjdGlvbiAoaGRsYzApLiAgVGhlIFQxIGNvbm5lY3Rpb24gbmV2ZXIsIGl0c2VsZiwgam9p
bnMgdGhlIGJyaWRnZS4NCj5PcGVuVlBOIHJ1bnMgb3ZlciB0aGF0IFQxIGNvbm5lY3Rpb24gYmV0
d2VlbiB0aGUgdHdvIGNvbXB1dGVycywNCj5kaXJlY3RseS4gIFRoZSBPcGVuVlBOLWdlbmVyYXRl
ZCB0YXAgZGV2aWNlIGlzIGJyaWRnZWQgaW4gd2l0aCB0aGUgTEFODQo+ZXRoZXJuZXQgZGV2aWNl
LCBzbyB3ZSBjYW4gdGFrZSB0aGUgYnJpZGdlIGRvd24gZW50aXJlbHkgYW5kIHN0aWxsIHRhbGsN
Cj50byB0aGUgY29tcHV0ZXIgb3ZlciB0aGUgaGRsYyBjb25uZWN0aW9uIGlmIHdlIG5lZWQgdG8g
KGFuZCB3ZSBkaWQNCj50b2RheSkuDQoNCj4gSSB0aGluayBib3RoIG9mIHlvdSB3aWxsIGhhdmUg
bXVjaCBiZXR0ZXIgc3VjY2VzcyByb3V0aW5nIHlvdXIgbmV0d29ya3MNCj4gdG9nZXRoZXIsIGlu
c3RlYWQgb2YgYnJpZGdpbmcgdGhlbS4gQm90aCBuZXR3b3JrcyB3aWxsIGJlIG11Y2ggbW9yZQ0K
PiByZWxpYWJsZSwgYW5kIHRoZSBwZXJmb3JtYW5jZSB3aWxsIGJlIG11Y2ggYmV0dGVyLg0KDQo+
WWVzIGFuZCBubzsgcm91dGluZyBkb2Vzbid0IG9mZmVyIHRoZSBzYW1lIGxldmVscyBvZiBmcmVl
ZG9tIGFzIGJyaWRnaW5nDQo+ZG9lcy4gIEJyb2FkY2FzdCBwYWNrZXRzLCBmb3IgaW5zdGFuY2Us
IGRvbid0IG5lZWQgdG8gd29ycnkgYWJvdXQNCj5yb3V0aW5nLiAgSWRlYWxseSwgdGhlc2UgdHdv
IG5ldHdvcmtzIHdvdWxkIGxpa2UgdG8gbG9vayBsaWtlIG9uZTsgeW91DQo+Y2FuJ3QgdXNlIGEg
c2luZ2xlIERIQ1Agc2VydmVyIGZvciB0d28gcm91dGVkIG5ldHdvcmtzIGluIHRoaXMga2luZCBv
Zg0KPnNldHVwLg0KDQo+QXNpZGUgZnJvbSB0aGUgb2RkYmFsbCBpc3N1ZXMgd2UncmUgcnVubmlu
ZyBpbiB0byB3aXRoIHRoZSBuZWNlc3NpdHkgb2YNCj5naXZpbmcgdGhlIEV0aGVybmV0IGludGVy
ZmFjZSBhbiBJUCBhZGRyZXNzIGluc2lkZSB0aGUgYnJpZGdlIGFuZCB0aGUNCj5ldmVuIHN0cmFu
Z2VyIGlzc3VlIG9uIHRoZSBib3ggdGhhdCB3b24ndCB0YWxrIHRvIHVzIGF0IGFsbCBvdmVyIGJy
MCwNCj50aGUgYnJpZGdpbmcgc2V0dXAgaXMgcmVsaWFibGUuLi4gSSd2ZSBiZWVuIHJ1bm5pbmcg
YSBicmlkZ2Ugb24gb25lIGJveA0KPmhlcmUgYXQgaG9tZSBmb3IgYWJvdXQgYSB5ZWFyIG5vdywg
YmV0d2VlbiB0d28gaGFyZCBldGhlcm5ldCBpbnRlcmZhY2VzLA0KPmFuZCBoYXZlbid0IG9uY2Ug
aGFkIGFueSBwcm9ibGVtcyB3aXRoIGl0LiAgVGhpcyBsZWF2ZXMgdXMgd2l0aCB0aGUNCj5UVU4v
VEFQIGRyaXZlciBhbmQgT3BlblZQTiBhcyB0aGUgb25seSBpbmNyZWFzZWQgZmFpbHVyZSBwb2lu
dHMsIGFuZA0KPnRoZXkgc2VlbSByb2NrIHNvbGlkIGZvciB0aGUgbW9zdCBwYXJ0IHRvIG1lLCBz
YW5zIHRoaXMgb25lIHNtYWxsIGlzc3VlLg0KPg0KPlJvYg0KDQogDQpJZiBieSBkb3VibGUtYnJp
ZGdpbmcsIHlvdSBtZWFuIHBsYWNpbmcgYSBsaW51eCBib3ggYXQgYm90aCBlbmRzIG9mIGFuIGlu
dGVybmV0IGNvbm5lY3Rpb24gYW5kIHJ1bm5pbmcgYnJjdGwNCm9uIHRoZW0sIHRoZW4geWVzLiAg
VGhhdCdzIHdoYXQgd2UncmUgdHJ5aW5nIHRvIGRvLCB1c2luZyBPcGVuVlBOIHRvIG1ha2UgaXQg
c2VjdXJlLiAgV2UgaGF2ZSBhIG5ldHdvcmsNCndpdGggMiBzZXJ2ZXJzIGFuZCAzIG9yIDQgd29y
a3N0YXRpb25zIGluIG9uZSBsb2NhdGlvbiBhbmQgd2UncmUgdHJ5aW5nIHRvIHNlY3VyZWx5IGNv
bm5lY3QgdG8gYSByZW1vdGUNCm5ldHdvcmsgd2l0aCAzIGNvbXB1dGVycywgc2hhcmluZyBhbGwg
dHJhZmZpYyBpbmNsdWRpbmcgYnJvYWRjYXN0cywgRE5TIHJlc29sdXRpb24sIERIQ1AsDQpldmVy
eXRoaW5nLiAgVGhlIGNvbXB1dGVycyBhdCB0aGUgcmVtb3RlIGVuZCBuZWVkIHRvIGhhdmUgZnVs
bCBhY2Nlc3MgdG8gdGhlIHNlcnZlcnMgYXQgdGhlIG1haW4gb2ZmaWNlLiAgSQ0KdGhvdWdodCB0
aGUgYmVzdCBzZXR1cCB3b3VsZCBiZSAyIGxpbnV4IGJveGVzLCBvbmUgb24gZWFjaCBlbmQsIGFj
dGluZyBhcyB0aGUgZmlyZXdhbGxzLCBhbmQgdXNpbmcgT3BlblZQTg0KYnJpZGdlcyB0byBob29r
IGl0IGFsbCB1cCBzZWN1cmVseS4gIFNvIGZhciwgdGhlIGJveGVzIHdpbGwgc2VlIGVhY2hvdGhl
ciBhbmQgdGFsaywgYnV0IGF0IHRoZSBleHBlbnNlIG9mIHRoZQ0KcGh5c2ljYWwgaW50ZXJuYWwg
ZXRoZXJuZXQgaW50ZXJmYWNlLCBldGgxLiAgRm9yIHNvbWUgcmVhc29uLCB3aGVuIHRoZSByYy5v
cGVudnBuIHNjcmlwdCBydW5zLCBpdCBzZXRzIGV0aDENCnRvIGluYWN0aXZlLCBjdXR0aW5nIGV2
ZXJ5b25lIG9mZiBiZWhpbmQgaXQuICBBbSBJIHN1cHBvc2VkIHRvIGNvbWJpbmUgYSBkdW1teSBp
bnRlcmZhY2Ugd2l0aCB0YXAwDQppbnN0ZWFkIG9mIGV0aDEgc28gSSBjYW4gY29udGludWUgdG8g
cnVuIHRyYWZmaWMgdGhyb3VnaCB0aGUgZmlyZXdhbGw/ICBPciBjYW4gSSBtYWtlIHRoZSB0d28g
cmVtb3RlDQpuZXR3b3JrcyBzZWUgZWFjaG90aGVyIHVzaW5nIHRoZSByb3V0aW5nIG1ldGhvZCBp
bnN0ZWFkIG9mIHRoZSBicmlkZ2luZz8gIFRoZSBvbmx5IHRoaW5nIEkga25vdyBmb3INCnN1cmUg
aXMgdGhhdCB0aGV5IGFyZSBlc3RhYmxpc2hpbmcgcGVlciBjb21tdW5pY2F0aW9ucywgYW5kIHRo
ZSBib3hlcyBjYW4gcGluZyBlYWNob3RoZXJzJyBXQU4NCmFuZCBpbnRlcm5hbCBhZGRyZXNzZXMg
anVzdCBmaW5lLiAgSSdtIGp1c3QgaGF2aW5nIGEgaGFyZCB0aW1lIGZpbmRpbmcgYW55IGV4YW1w
bGVzIG9mDQpzaW1pbGFyIHNldHVwcyBvbiB0aGUgaW50ZXJuZXQgYW5kIG5ld3Nncm91cHMuICBB
bmQgSSBrbm93IGl0J3MgcG9zc2libGUsIGJlY2F1c2UgSSd2ZSBkb25lIGl0IHdpdGgNCldhdGNo
Z3VhcmRzIGluIHRoZSBzYW1lIGNvbmZpZ3VyYXRpb24uDQogDQpUaGFua3MgZ3V5cyEhIA0K

Hello list members,

I'm testing the new release of openvpn and we're having too many link
drops (don't know if it is a problem at the Win2k or Linux side).

The config parameters are as follows:

(Win2k)
remote 200.xxx.xxx.xxx
port 500x
proto udp
dev tap
ifconfig 10.0.5.1 255.255.255.0
secret the.key
cipher BF-CBC
ping 10
tun-mtu 1500
tun-mtu-extra 32
verb 4
mute 10

The Linux side has it's configuration adapted to the Win2k VPN link.

The link is started, 1 mn. later i start transfer data with an internal
Kylix app, and suddenly the links becomes not responsive.
When restarted, the same happens.
In a test-mtu it was sugested to use 1572 for mtu value: i'm receiving an
error message trying to set in Win2k this value, so it's not possible to
do that.

Any help would be greatly appreciated.

TIA,


RSalles

(Please do not consider the .signature related in any way with openvpn
itself: it's used for me there are 2 years or more).

--=20
"A well-written program is its own heaven; a poorly-written program is it=
s
own hell."
TAO of Programming - Book 4

Renato,

For the Windows version, 1.6-beta1 uses "ip-win32 dynamic" by default.  By
contrast, 1.5.0 uses "ip-win32 ipapi".

I assume that you are testing 1.6-beta1.  If so try "ip-win32 ipapi".  This
will help isolate whether the problem is being caused by the new "ip-win32
dynamic" code.

Also, as far as MTU is concerned, try the usual conservative values on both
sides of the connection:

  tun-mtu 1500
  tun-mtu-extra 32
  mssfix 1400

See if this fixes the problem when ip-win32 is left unspecified on 1.6b1 so
that it defaults to dynamic.

James

Renato Salles <rsalles@...> said:

> Hello list members,
> 
> I'm testing the new release of openvpn and we're having too many link
> drops (don't know if it is a problem at the Win2k or Linux side).
> 
> The config parameters are as follows:
> 
> (Win2k)
> remote 200.xxx.xxx.xxx
> port 500x
> proto udp
> dev tap
> ifconfig 10.0.5.1 255.255.255.0
> secret the.key
> cipher BF-CBC
> ping 10
> tun-mtu 1500
> tun-mtu-extra 32
> verb 4
> mute 10
> 
> The Linux side has it's configuration adapted to the Win2k VPN link.
> 
> The link is started, 1 mn. later i start transfer data with an internal
> Kylix app, and suddenly the links becomes not responsive.
> When restarted, the same happens.
> In a test-mtu it was sugested to use 1572 for mtu value: i'm receiving an
> error message trying to set in Win2k this value, so it's not possible to
> do that.
> 
> Any help would be greatly appreciated.
> 
> TIA,
> 
> 
> RSalles
> 
> (Please do not consider the .signature related in any way with openvpn
> itself: it's used for me there are 2 years or more).
> 
> -- 
> "A well-written program is its own heaven; a poorly-written program is its
> own hell."
> TAO of Programming - Book 4
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



--

James,

Thank you for your prompt reply. I'll try with the parameters you've
sugested and let you know the results.
This is strange, i had 2 links in test with 1.5-beta11 and the link didn'=
t
show this behaviour. Anyway, as the client asked to perform this
installation urgently, i have a restrict time to test.

Other parameter of (few?) interest:
Both ends are hiden by a Alcatel STPro ADSL modem (exactly the same model=
).
To the test we're using fixed-ip at both ends, nat'ed. Linux server is
running 2.4.22 kernel and here we test with Toshiba Satellite Pentium
III/Win2k-SP4 (fresh install).

Thank you again,

Renato



James Yonan disse:
> Renato,
>
> For the Windows version, 1.6-beta1 uses "ip-win32 dynamic" by default. =
 By
> contrast, 1.5.0 uses "ip-win32 ipapi".
>
> I assume that you are testing 1.6-beta1.  If so try "ip-win32 ipapi".
> This
> will help isolate whether the problem is being caused by the new "ip-wi=
n32
> dynamic" code.
>
> Also, as far as MTU is concerned, try the usual conservative values on
> both
> sides of the connection:
>
>   tun-mtu 1500
>   tun-mtu-extra 32
>   mssfix 1400
>
> See if this fixes the problem when ip-win32 is left unspecified on 1.6b=
1
> so
> that it defaults to dynamic.
>
> James
>
> Renato Salles <rsalles@...> said:
>
>> Hello list members,
>>
>> I'm testing the new release of openvpn and we're having too many link
>> drops (don't know if it is a problem at the Win2k or Linux side).
>>
>> The config parameters are as follows:
>>
>> (Win2k)
>> remote 200.xxx.xxx.xxx
>> port 500x
>> proto udp
>> dev tap
>> ifconfig 10.0.5.1 255.255.255.0
>> secret the.key
>> cipher BF-CBC
>> ping 10
>> tun-mtu 1500
>> tun-mtu-extra 32
>> verb 4
>> mute 10
>>
>> The Linux side has it's configuration adapted to the Win2k VPN link.
>>
>> The link is started, 1 mn. later i start transfer data with an interna=
l
>> Kylix app, and suddenly the links becomes not responsive.
>> When restarted, the same happens.
>> In a test-mtu it was sugested to use 1572 for mtu value: i'm receiving
>> an
>> error message trying to set in Win2k this value, so it's not possible =
to
>> do that.
>>
>> Any help would be greatly appreciated.
>>
>> TIA,
>>
>>
>> RSalles
>>
>> (Please do not consider the .signature related in any way with openvpn
>> itself: it's used for me there are 2 years or more).
>>

>


--=20
"A well-written program is its own heaven; a poorly-written program is it=
s
own hell."
TAO of Programming - Book 4

Does Open Vpn have remote access feaature. If it is SSL based, can we 
configure remote access using a normal browser.


-- 
Awadhesh Kumar Paswan
Center for Development of Advanced Computing,
Member Technical Staff,
Network & Internet Software Group,
University Campus, Ganeshkhind Road,
Pune-411007
Ph. 020-25694000, ext-462

Can i use openvpn to connect these 2 computers:
One a linux box behind my router and my winxp box
behind my company's firewall, which is a firewall that
i have no control of?
Thanks

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

On Tue, Feb 03, 2004 at 09:53:33AM +0530, awadheshp@... wrote:
> Does Open Vpn have remote access feaature.

I do not understand the question, so I'll just tell you what OpenVPN is:
it is a means to carry TCP/IP traffic (a point-to-point peer connection)
through a tunnel which optionally may be SSL-encrypted. The tunnel
typically uses a single UDP port on both peers.

> If it is SSL based, can we 
> configure remote access using a normal browser.

Not to the best of my knowledge. "SSL" has nothing to do with "HTTPS" in
this case. OpenVPN is its own protocol.

It probably would be simple to write a Webmin module to manage OpenVPN
settings on a Unix peer, but I do not know if it has been done. I might
eventually underwrite such a thing.

I have no idea about OpenVPN administration on Windows, nor do I have
any plans to find out about it. :)

    Rob - /dev/rob0

Maybe a VNC or Terminal-client session tunneled trough the VPN link.

HTH,

RSalles


Rob McGee disse:


> On Tue, Feb 03, 2004 at 09:53:33AM +0530, awadheshp@... wrote=
:
>> Does Open Vpn have remote access feaature.
>
> I do not understand the question, so I'll just tell you what OpenVPN is=
:
> it is a means to carry TCP/IP traffic (a point-to-point peer connection=
)
> through a tunnel which optionally may be SSL-encrypted. The tunnel
> typically uses a single UDP port on both peers.
>
>> If it is SSL based, can we
>> configure remote access using a normal browser.
>
> Not to the best of my knowledge. "SSL" has nothing to do with "HTTPS" i=
n
> this case. OpenVPN is its own protocol.
>
> It probably would be simple to write a Webmin module to manage OpenVPN
> settings on a Unix peer, but I do not know if it has been done. I might
> eventually underwrite such a thing.
>
> I have no idea about OpenVPN administration on Windows, nor do I have
> any plans to find out about it. :)
>
>     Rob - /dev/rob0
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


--=20
"A well-written program is its own heaven; a poorly-written program is it=
s
own hell."
TAO of Programming - Book 4

On Mon, 2004-02-02 at 20:23, awadheshp@... wrote:
> Does Open Vpn have remote access feaature. If it is SSL based, can we 
> configure remote access using a normal browser.
> 
No.

Try VNC (http://tightvnc.com). And tunnel it through OpenVPN--or perhaps
set up Apache as a proxy to add SSL?

Cheers,
-- 
John Locke
Open Source solutions for small business problems
http://freelock.com

On Tue, 2004-02-03 at 06:09, Michael Katz wrote:
> Can i use openvpn to connect these 2 computers:
> One a linux box behind my router and my winxp box
> behind my company's firewall, which is a firewall that
> i have no control of?

Impossible to tell with any degree of confidence.
But the chances are bigger with OpenVPN than with most other VPN
solutions, thanks to the ability to use arbitrary ports, or tunnel
through a proxy, etc.

-- 
Florin Andrei

http://florin.myip.org/

Hi All, 

I got the message "Peer connection initiated with...." when I started the 
config file. When I run the server's tap address in the start/Run win2k 
professional,it threw the error "network path was not found". The server is 
running in winows2000 server. Any help will be appreciated 


regards,
Muru

A new release of the 2.0 beta is available.

* One of the goals of OpenVPN 2.0 is extreme scalability, i.e. robustly
handling connections from potentially thousands of clients.  To do this, some
kind of load balancing and failover capability is needed, because a single
OpenVPN daemon running on a single processor may not be able to handle this
kind of load.  One solution is to set up a cluster of near-identically
configured OpenVPN daemons on separate machines, or multiple daemons on a
multiprocessor machine, or both.  Each daemon is running with --mode server
and can handle multiple clients.

The feature that makes this now possible is that --remote has been extended to
allow a list of remote servers and port numbers to be specified on the client
such as:

  remote server1 5000
  remote server1 5001
  remote server2 5000
  remote server2 5001
  
By default the OpenVPN client will try each host/port in the order specified.
 If the connection fails (such as triggered by --ping/--ping-restart) the
client will move to the next host in the list.  The client can also initially
randomize the list using the new --remote-random flag, to provide a basic
load-balancing capability.

The servers are configured almost identically, though each has its own port
number and --ifconfig-pool IP address range.

* Harald Roelle has observed some limitations in the current Linux 2.4 and 2.6
tun/tap driver.  Specifically, the TX queue size is set to 10 by default,
which is too small.  There is also a problem with "kicking" where a packet in
the driver may get stuck there and need another packet to come through to
"kick" it out.  This may account for the "no buffer space available" message
that some Linux users report.  To work around this problem, OpenVPN has added
a --txqueuelen option to raise the queue length to a more sane size, and now
defaults to 100.  Right now, this is a Linux-only option.  I've also added
--rcvbuf and --sndbuf to control the TCP/UDP socket buffer sizes.  Harald
Roelle and Max Krasnyansky have put together some patches which fix the Linux
tun/tap driver issues, and should (hopefully) be in the pipeline shortly for
inclusion in the mainline 2.4 and 2.6 branches.  For now, --txqueuelen will
provide a workaround.

At this point I would say that nearly all of the key features which have been
envisaged for 2.0 are in place with a few exceptions:

* TCP Support in the multi-client server -- The only way that I can see of
scalably adding TCP support (without using multiple threads or processes) is
to use an efficient multi-socket API such as epoll() which is available on
Linux 2.6 and also apparently on 2.4 via a kernel patch.

* Forking server support -- The 2.0 multi-client server model is designed for
people who want a potentially large number of clients to tunnel through a
single tun or tap interface using a single daemon process.  Some people
however might prefer the forking server model, where the server automatically
forks off a new process for each incoming client, dynamically allocating a
private tun/tap interface for that client.

* Multithreading support -- multithreading offers two key advantages: (1) it
reduces the worst-case latency of packets flowing through the tunnel and (2)
it offers the opportunity for a single daemon to utilize all the processors on
an multiprocessor machine.  Unfortunately, multithreading causes a lot of
problems including complexifying the source code and introducing
race-condition bugs which can be extremely difficult to reproduce or track
down.  My thinking at this point is that implementing multithreading may not
be worth the trouble, especially given the fact that the new load balancing
feature can allow multiple OpenVPN daemons running on multiple machines to
serve the same client pool.

* Compatibility with 1.x -- OpenVPN 2.0 tries as much as possible to be
upwardly compatible with 1.x.  The main difference is that 2.0 changes some
parameter defaults.  The tun/tap MTU has been raised to 1500, --mssfix 1450 is
now the default, and --key-method now defaults to 2.  The only feature which
has been removed is the special-purpose SSL/TLS thread feature which is
enabled on 1.x if you build OpenVPN with the --enable-pthread flag.  I might
put it back if people complain, but overall I'm not sure that it's worth the
trouble.

Change Log:

2004.04.28 -- Version 2.0-test26

* Optimized broadcast path in multi-client mode.
* Added socket buffer size options --rcvbuf & --sndbuf.
* Configure Linux tun/tap driver to use a more sensible
  txqueuelen default.  Also allow explicit setting
  via --txqueuelen option (Harald Roelle).
* The --remote option now allows the port number
  to be specified as the second parameter.  If
  unspecified, the port number defaults to the
  --rport value.
* Multiple --remote options on the client can now be
  specified for load balancing and failover.  The
  --remote-random flag can be used to initially randomize
  the --remote list for basic load balancing.
* If a remote DNS name resolves to multiple DNS addresses,
  one will be chosen by random as a kind of basic
  load-balancing feature if --remote-random is used.
* Added --connect-freq option to control maximum
  new connection frequency in multi-client mode.
* In multi-client mode, all syslog messages associated
  with a specific client now include a client-ID prefix.
* For Windows, use a gettimeofday() function based
  on QueryPerformanceCounter (Derek Burdick).
* Fixed bug in interaction between --key-method 2
  and DES ciphers, where dynamic keys would be generated
  with bad parity and then be rejected.


Download:

http://openvpn.sourceforge.net/beta/

Hi OpenVPN author and community !

We want to connect 2 private networks over a public network using OpenVPN-1.5.0

Network-A   192.168.28.0/24
Host        192.168.28.26   tun0 10.192.168.28/10.192.168.56,
                            routing network 192.168.56.0/24 to gw 10.192.168.56

Network-B   192.168.56.0/24
Host        192.168.56.13   tun0 10.192.168.56/10.192.168.28,
                            routing network 192.168.28.0/24 to gw 10.192.168.28

We can "ping" the tunnel end points, so the connection works in general.

But if 192.168.28.26 does a ssh to 192.168.56.13, the connection is shown at 
192.168.56.13 coming from 10.192.168.28. We think this is wrong, the connection
should show up coming from 192.168.28.26.

Given this fact, how to get from any host in Network-A to any host in Network-B
if all connections seem to come from the tunnel end at the destination host?

Kernel IP routing table on 192.168.28.26:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.192.168.56   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.28.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.56.0    10.192.168.56   255.255.255.0   UG    0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.28.1    0.0.0.0         UG    0      0        0 eth0

Kernel IP routing table on 192.168.56.13 looks simliar.

If this is not sufficient more information can be given.


Kind regards, Frank Elsner

Frank,

Show us the conf files for both ends.

Also, what distro?

Doug

Frank Elsner wrote:

>Hi OpenVPN author and community !
>
>We want to connect 2 private networks over a public network using OpenVPN-1.5.0
>
>Network-A   192.168.28.0/24
>Host        192.168.28.26   tun0 10.192.168.28/10.192.168.56,
>                            routing network 192.168.56.0/24 to gw 10.192.168.56
>
>Network-B   192.168.56.0/24
>Host        192.168.56.13   tun0 10.192.168.56/10.192.168.28,
>                            routing network 192.168.28.0/24 to gw 10.192.168.28
>
>
>  
>

I just installed Windows XP Pro Service Pack 2 (Release Candidate 2) on my notebook and noticed that my TAP Adapter disappeared from my list of Network Connections in Control Panel.

I executed the OpenVPN\bin\deltapall.bat in order to delete all "existing" TAP adapters (at least the one that was there before installing SP2RC2) and then executed OpenVPN\bin\addtap.bat to add at least one, but I still cannot see it in my Network Connections applet in Control Panel.

This is the output of "ipconfig /all":

Windows IP Configuration

  Host Name . . . . . . . . . . . . : FEsquivel
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter LAN:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : 3Com 3C920 [...]
  Physical Address. . . . . . . . . : 00-0B-DB-A2-93-25
  Dhcp Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.3.1.21
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 10.3.1.2
  DNS Servers . . . . . . . . . . . : 10.3.1.2

Ethernet adapter {2EFC47B4-AD00-45EF-85BA-FC1263D98528}:

  Media State . . . . . . . . . . . : Media disconnected
  Description . . . . . . . . . . . : TAP-Win32 Adapter - Packet Scheduler Miniport
  Physical Address. . . . . . . . . : 00-FF-2E-FC-47-B4

So, I guess the {2EFC47B4-AD00-45EF-85BA-FC1263D98528} adapter is the one just created, but as it does not have a valid ASCII name, it does not appear listed on my Network Connections applet.

Is there a workaround for XP's SP2RC2 from the OpenVPN project?

-- 
   Fabio
        //

------
   Haga que su nombre sea su dirección de correo
   en http://www.netidentity.com/GIXIVCKD

   Mis DVDs: http://www.intervocative.com/dvdcollection.aspx/Unreal
------

On Wednesday 30 June 2004 12:24, Fabio Antonio Esquivel Chac=F3n wrote:
> I just installed Windows XP Pro Service Pack 2 (Release Candidate 2) on my
> notebook and noticed that my TAP Adapter disappeared from my list of
> Network Connections in Control Panel.

Which version of OpenVPN are you using?

The 2.0-beta series has a fix for this.

The problem is that the recent XP SP2 release candidate has a bug where=20
network interfaces which have a hardware ID which is 3 characters long go=20
missing in the control panel.  Not kidding.

So we fixed the .INF file to use "TAP0801" rather than "TAP"

James

I'm using the latest stable relase, 1.6.0, so I guess that's my problem...

Is the latest 2.0-beta stable enough for deployment (at least in a single notebook with SP2RC2)?

On Wed, 30 Jun 2004 12:39:11 -0400, James Yonan <jim@...> wrote:

> On Wednesday 30 June 2004 12:24, Fabio Antonio Esquivel Chacón wrote:
>> I just installed Windows XP Pro Service Pack 2 (Release Candidate 2) on my
>> notebook and noticed that my TAP Adapter disappeared from my list of
>> Network Connections in Control Panel.
>
> Which version of OpenVPN are you using?
>
> The 2.0-beta series has a fix for this.
>
> The problem is that the recent XP SP2 release candidate has a bug where
> network interfaces which have a hardware ID which is 3 characters long go
> missing in the control panel.  Not kidding.
>
> So we fixed the .INF file to use "TAP0801" rather than "TAP"
>
> James
>
>



-- 
   Fabio
        //

------
   Haga que su nombre sea su dirección de correo
   en http://www.netidentity.com/GIXIVCKD

   Mis DVDs: http://www.intervocative.com/dvdcollection.aspx/Unreal
------

On Wed, 30 Jun 2004, [windows-1252] Fabio Antonio Esquivel Chac=F3n wrote:

>>> I just installed Windows XP Pro Service Pack 2 (Release Candidate 2)=20
>>> on my notebook and noticed that my TAP Adapter disappeared from my=20
>>> list of Network Connections in Control Panel.
>>=20
>> Which version of OpenVPN are you using?
>>=20
>> The 2.0-beta series has a fix for this.
>>=20
>> The problem is that the recent XP SP2 release candidate has a bug where
>> network interfaces which have a hardware ID which is 3 characters long g=
o
>> missing in the control panel.  Not kidding.
>>=20
>> So we fixed the .INF file to use "TAP0801" rather than "TAP"
>
> I'm using the latest stable relase, 1.6.0, so I guess that's my problem..=
=2E
>
> Is the latest 2.0-beta stable enough for deployment (at least in a single=
=20
> notebook with SP2RC2)?

I've been using the 2.0-beta series for about a month now on 4 laptops=20
with WinXP without any problem what so ever...

PS: Please don't top-post.

--=20
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail

Am Mittwoch, 30. Juni 2004 18:45 schrieb Fabio Antonio Esquivel Chac=F3n:
> I'm using the latest stable relase, 1.6.0, so I guess that's my problem...

that's true... the openvpn 1.6 release doesn't have a bug fix for this=20
included.

> Is the latest 2.0-beta stable enough for deployment (at least in a single
> notebook with SP2RC2)?

depends on what you need. There shouldn't be any really critical bugs for=20
simple setups with the openvpn2...

But for real production system I would suggest not to use openvpn 2 beta. B=
ut=20
it is also strongly recommend not to use the release candiate of the servic=
e=20
pack 2 on production system. So I guess it's not a production system at all.

You can also mix 1.6 and 2.0 systems normaly... So you only need to upgrade=
=20
openvpn your sp2 machine.

> On Wed, 30 Jun 2004 12:39:11 -0400, James Yonan <jim@...> wrote:
> > On Wednesday 30 June 2004 12:24, Fabio Antonio Esquivel Chac=F3n wrote:
> >> I just installed Windows XP Pro Service Pack 2 (Release Candidate 2) on
> >> my notebook and noticed that my TAP Adapter disappeared from my list of
> >> Network Connections in Control Panel.
> >
> > Which version of OpenVPN are you using?
> >
> > The 2.0-beta series has a fix for this.
> >
> > The problem is that the recent XP SP2 release candidate has a bug where
> > network interfaces which have a hardware ID which is 3 characters long =
go
> > missing in the control panel.  Not kidding.
> >
> > So we fixed the .INF file to use "TAP0801" rather than "TAP"
> >
> > James

How do you push Wins and DNS entries to Windows?
           TIA,
              Don
BTW, I have had as many as 20 simultaneous connections with 2.0 Beta 7 on 
an 800Mhz PIII. The interesting thing is that I use this for web browsing 
and other things at my desk and I don't notice any performance hit but I am 
still adding users.


-- 
Don                     .~.
Weeks                   /V\                 L I N U X
                       //   \\          >Phear the Penguin<
dlweeks@...  /(     )\
                        ^^-^^

I want to set up a tunnel to a linux box in my offive
from my linux box at home.

The linux box in my office sits behind a firewall that
only allows http traffic.


Does anyone think thie is possible with openvpn or
maybe with openvpn + httptunnel

The the openvpn docs but only have examples involving
altering the firewall. I can't do that. 


The aim is to use telnet or ssh to access the linux
box in my office and check if some jobs I am running
have worked or failed then resubmit them without
having to travel to my work to do this. I have been
doing this via some email scripts but its not very
secure and error prone. 


thanks for any help.


	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

Den 8. aug 2004, kl. 18:26, skrev rima tom:

> I want to set up a tunnel to a linux box in my offive
> from my linux box at home.
>
> The linux box in my office sits behind a firewall that
> only allows http traffic.
>
>
> Does anyone think thie is possible with openvpn or
> maybe with openvpn + httptunnel
>
> The the openvpn docs but only have examples involving
> altering the firewall. I can't do that.

Did you try just running openvpn at port 80 at home?



JonB

Hello rima,

please use topics in the future!

take a look in the archive, I've wroten howto workaround a corporate proxy
in "Http-Proxy Example"

regards

OPENVPN is a great tool i have seen so far.=0AI would like to know is there=
 a plan to integrate radius or tacacs authentication inside openvpn.=0AIn m=
ost of the commercial product, this feature is available and it is extensiv=
ely being used. To compete with commercial product, I feel authentication a=
nd accounting should be brought in.=0A=0Aregards=0ABhaskar

Den 3. sep 2004, kl. 11:24, skrev Bhaskar:

> OPENVPN is a great tool i have seen so far.
> I would like to know is there a plan to integrate radius or tacacs 
> authentication inside openvpn.

not to my knowledge. But if you want to you can build further 
authentication into OpenVPN,
but first opening a tunnel, and then doing the authentication.


> In most of the commercial product, this feature is available and it is 
> extensively being used. To compete with commercial product, I feel 
> authentication and accounting should be brought in.

Do you have any technical merit for including it ?



JonB

>To compete with
> commercial product, I feel authentication and accounting should be brought
> in

Probably can incorporate pam and nsswitch on the *nix platforms to accomplish 
this. We do this all the time for LDAP, WINS-DC and AD external 
authentication ( samba, etc.). Does a pam_radius module exist?
-- 
Raymond

hi,
Answer to Jon's question.
I feel providing an integration hook to OPENVPN with existing
infrastructure through radius or through any other standard protocol
will surely help companies to move from commercial product. This is
because all these guys do have user profile in rdbms or ldap or in
some form. Providing integration hook will increase the base of
openvpn and benefit the opensource community.

Raymond,
How do you think that you can integrate PAM and NSSWITCH on *nix
platform with OPENVPN.
Please provide me with more ideas so that i can try and push it back
to community.

regards
Bhaskar
PS: I have moved my account from tvkbhaskar@... to
tvkbhaskar@...

On Fri, 3 Sep 2004 04:05:30 -0700, Raymond <support@...> wrote:
> >To compete with
> > commercial product, I feel authentication and accounting should be brought
> > in
> 
> Probably can incorporate pam and nsswitch on the *nix platforms to accomplish
> this. We do this all the time for LDAP, WINS-DC and AD external
> authentication ( samba, etc.). Does a pam_radius module exist?
> --
> Raymond
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

hi all,
I would like to provide a cut-down version of openvpn client
installation executable to my users along with the my site specific
config file.
Need your help

regards
Bhaskar

Den 4. sep 2004, kl. 5:34, skrev Bhaskar K:

> hi all,
> I would like to provide a cut-down version of openvpn client
> installation executable to my users along with the my site specific

what would you cut out ?

> config file.

i modified the easy-rsa scripts to make a certificate for each user,
make a .config from a template, add some scripts to change password
on the certificate, and pack it all with the standard openvpn installer 
in a nice
zip file which i then can mail the user. When i make the certificate it 
is
protected by a password untill the user changes that

It shouldnt be too hard for you to do the same, unless of course you 
make
the certificates on a windows machine, that usualy has no scripting 
capabilities.



JonB

Hi,
What I meant here is two things.
1. To remove sample config files, key files and other scripts.
2. Would like to add my company specific config files to the installer
so that users can click on a button, install and start using it
I need it for both windows and linux versions.

let me know how can do this.

regards


On Sat, 4 Sep 2004 08:39:32 +0200, Jon Bendtsen <jon.bendtsen@...> wrote:
> Den 4. sep 2004, kl. 5:34, skrev Bhaskar K:
> 
> > hi all,
> > I would like to provide a cut-down version of openvpn client
> > installation executable to my users along with the my site specific
> 
> what would you cut out ?
> 
> > config file.
> 
> i modified the easy-rsa scripts to make a certificate for each user,
> make a .config from a template, add some scripts to change password
> on the certificate, and pack it all with the standard openvpn installer
> in a nice
> zip file which i then can mail the user. When i make the certificate it
> is
> protected by a password untill the user changes that
> 
> It shouldnt be too hard for you to do the same, unless of course you
> make
> the certificates on a windows machine, that usualy has no scripting
> capabilities.
> 
> JonB
> 
>

Den 8. sep 2004, kl. 8:22, skrev Bhaskar K:

> Hi,
> What I meant here is two things.
> 1. To remove sample config files, key files and other scripts.
> 2. Would like to add my company specific config files to the installer
> so that users can click on a button, install and start using it
> I need it for both windows and linux versions.
>
> let me know how can do this.

i dont think this is the correct forum, you need a forum that focuses
on windows installers.



JonB

On Wed, 8 Sep 2004, Bhaskar K wrote:

> Hi,
> What I meant here is two things.
> 1. To remove sample config files, key files and other scripts.
> 2. Would like to add my company specific config files to the installer
> so that users can click on a button, install and start using it
> I need it for both windows and linux versions.

On Windows:
Install NSIS 2.0beta3 (The 2.0-Release version will not work without 
modifying the nsis script.)

Get the nsis script from openvpn source and modify it to include your 
config file instead of the sample file.

Put the openvpn binarys and dlls in a directory stucture so that the nsis 
script finds all files where it wants it (or modify the script the way YOU 
want it).

Build the installation package.

If you want to include OpenVPN GUI in the installation package, let me 
know, and I can send you the NSIS script I've used to build the 
installation package, which is just a little modification of the original 
OpenVPN installation package.


Linux:
Don't know really. I'd would probably pre-compile openvpn and make a 
tar-ball with the openvpn binary and the config file.


I would distribute keys and certs seperatly so I don't have to build a new 
installation package for every user.

-- 
_________________________________________________________
Mathias Sundman              (^)   ASCII Ribbon Campaign
NILINGS AB                    X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28      / \   NO Word docs in e-mail

On Wed, 8 Sep 2004, Waldemar Brodkorb wrote:

>>> What I meant here is two things.
>>> 1. To remove sample config files, key files and other scripts.
>>> 2. Would like to add my company specific config files to the installer
>>> so that users can click on a button, install and start using it
>>> I need it for both windows and linux versions.
>>
>> On Windows:
>> Install NSIS 2.0beta3 (The 2.0-Release version will not work without
>> modifying the nsis script.)
>>
>> Get the nsis script from openvpn source and modify it to include your
>> config file instead of the sample file.
>>
>> Put the openvpn binarys and dlls in a directory stucture so that the nsis
>> script finds all files where it wants it (or modify the script the way YOU
>> want it).
>>
>> Build the installation package.
>>
>> If you want to include OpenVPN GUI in the installation package, let me
>> know, and I can send you the NSIS script I've used to build the
>> installation package, which is just a little modification of the original
>> OpenVPN installation package.
>
> Can you please send it to me, too?

I got a few request for this nsis script, so I put it up for download on 
my web server...

http://www.nilings.se/openvpn/files/install_packages/openvpn-gui.nsi

-- 
_________________________________________________________
Mathias Sundman              (^)   ASCII Ribbon Campaign
NILINGS AB                    X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28      / \   NO Word docs in e-mail

On Wed, 8 Sep 2004, Mathias Sundman wrote:

> On Wed, 8 Sep 2004, Bhaskar K wrote:
> 
> > Hi,
> > What I meant here is two things.
> > 1. To remove sample config files, key files and other scripts.
> > 2. Would like to add my company specific config files to the installer
> > so that users can click on a button, install and start using it
> > I need it for both windows and linux versions.
> 
> On Windows:
> Install NSIS 2.0beta3 (The 2.0-Release version will not work without 
> modifying the nsis script.)

Mathias,

Any idea on what needs to be changed to bring the install script up to 
NSIS 2.0-Release?
 
James

On Wed, 8 Sep 2004, James Yonan wrote:

>>> What I meant here is two things.
>>> 1. To remove sample config files, key files and other scripts.
>>> 2. Would like to add my company specific config files to the installer
>>> so that users can click on a button, install and start using it
>>> I need it for both windows and linux versions.
>>
>> On Windows:
>> Install NSIS 2.0beta3 (The 2.0-Release version will not work without
>> modifying the nsis script.)
>
> Mathias,
>
> Any idea on what needs to be changed to bring the install script up to
> NSIS 2.0-Release?

No, I havn't put any more effort into it since we discussed it last time. 
2.0beta3 has worked flawlessly for me to, so I havn't felt the need to 
change.

I could give it another look though if you want to make the move...

-- 
_________________________________________________________
Mathias Sundman              (^)   ASCII Ribbon Campaign
NILINGS AB                    X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28      / \   NO Word docs in e-mail

Hi,
I need a help getting this working. The client is running on XP and the 
server is Linux Debian, but I cannot ping the server. There's nothing in th 
status log. 

The client config.ovpn:
# During installation TAP was installed.
client
dev tun
proto udp
IPADDRESS:5000
resolv-retry infinite
nobind
mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client0001.crt"
key "C:\\Program Files\\OpenVPN\\config\\client0001.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\ask-hmac.key" 1
comp-lzo
verb 4
mute 20 

The server.conf file:
local IPADDRESS
port 5000
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/office.crt
key /etc/openvpn/keys/office.key  # This file is secret
dh /etc/openvpn/keys/dh2048.pem
server 10.13.13.0 255.255.255.0
push "route 192.168.191.0 255.255.255.0"
keepalive 10 60
tls-auth /etc/openvpn/keys/ask-hmac.key 0 # This file is secret
comp-lzo
max-clients 20
user nobody
group www-data
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20 

I did create my onw keys. And openvpn starts without error on client and 
server. Can anyone find a problem in the setup? I'm using the 2.0_beta11 
from source. 

Is there a way to make the client authenticate before connecting to the vpn? 
I created a passworded client key but was not prompted for a password when 
starting Openvpn. 

A little confused,
Thanks,
Craig Jackson 

C

Hi All,

Our organization is presently new to OpenVPN and we
would like to assess its ability on our
infrastructure.  Being in a 3rd world country, ISP's
use NAT to save on public IPs.

So here's the dilemma.  Does VPN configuration (even
the beta is assessed), that allows only the server to
have a public ip (we have a internet connected server
on a static public internet accessible ip).  But our
client PC's (off-site and other branches) use both DSL
and Dial-Ups.  And sometimes, due to cost cutting of
ISPs, the ISP gives them NATed IPs (private to ISP,
not externally pingable).  Can these clients still
configure OpenVPN in a way that the connection will
always come from them (and will maintain it, so that
data can flow down to these clients)?  Can you point
me on a good direction?

So far all the docs that I have read is about both
peers to have public IPs.  None with our setup.  

Thanks in advance.

Dan


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com

The side initiating the connection need not have a public IP, but the
other side must. In client/server mode, the server must have a public IP;
if it's only the clients which will have public IPs, you'll presumably
want to use peer-to-peer mode.

If neither system will have a public IP, you'll probably need to have a
trusted 3rd-party intermediary that does have one acting as a hub for
you. Alternately, you could consider the use of a tool such as chownat
[http://chownat.lucidx.com/] to allow communication between the systems.

On Sun, 21 Nov 2004, Kranasian Soul X wrote:

> Hi All,
> 
> Our organization is presently new to OpenVPN and we
> would like to assess its ability on our
> infrastructure.  Being in a 3rd world country, ISP's
> use NAT to save on public IPs.
> 
> So here's the dilemma.  Does VPN configuration (even
> the beta is assessed), that allows only the server to
> have a public ip (we have a internet connected server
> on a static public internet accessible ip).  But our
> client PC's (off-site and other branches) use both DSL
> and Dial-Ups.  And sometimes, due to cost cutting of
> ISPs, the ISP gives them NATed IPs (private to ISP,
> not externally pingable).  Can these clients still
> configure OpenVPN in a way that the connection will
> always come from them (and will maintain it, so that
> data can flow down to these clients)?  Can you point
> me on a good direction?
> 
> So far all the docs that I have read is about both
> peers to have public IPs.  None with our setup.  

Only one OpenVPN peer needs to have a public address, and dynamic
addresses are supported.  See the FAQ for more discussion on the use of
dynamic addresses.

James

Hello List,

I have some trouble with OpenVPN 2.0rc6 on a Windows 2003 SBS server, SP1.

Occasionally (once or twice a week), after the connection with the peer is re-established,
the TAP device fails to obtain the IP address set by OpenVPN.
The log file says the following:

---------------
Fri Feb 25 15:18:34 2005 us=173685 NOTE: FlushIpNetTable failed on interface
[2] {5A4DE833-7293-4544-98EF-3CE949D78158} (status=1413) : Invalid index.
---------------
followd by a _lot_ of these:
---------------
Fri Feb 25 15:18:53 2005 us=687643 TEST ROUTES: 0/0 succeeded len=1 ret=0
a=0 u/d=down
Fri Feb 25 15:18:53 2005 us=687764 Route: Waiting for TUN/TAP interface to
come up...
---------------

Of course, since the TAP adapter does not receive an IP address, the route addition after that consequently fails.


Thank you for your help in advance.

Sincerely,
   Andreas Iwanowski

HELP !
I test openvpn V2  in ADSL ,all is ok. But when a client use GRPS,it's wrong.Can anyone give advice?

HELP !
It establishes the connection as usual. Data destined for the VPN enters
the tap but never makes it out the GPRS link, according to ethereal, and
the connection drops after ping-timeout. Connecting via anything else
works fine. Maximum debug on the client doesn't show anything immediately
obvious to me.
This is with 2.0b11 on both ends, XP client to 2K server, using TCP.
GPRS is via standard modem-over-IR emulation.

Has anyone done this successfully?

On Sun, 27 Mar 2005 09:42:49 +0800, lilixinCQU wrote:

> HELP !
> I test openvpn V2  in ADSL ,all is ok. But when a client use GRPS,it's
> wrong.Can anyone give advice?

Well, you're not really giving enough information for a useful diagnosis.
That said, I'd try tuning your MTU settings -- likely GPRS doesn't allow
very large UDP packets.

openvpn-users:
   How can I disable the DHCP function of OpenVpn Server and assig a static IP to my client?
   Can some one give me advice ?

On Mon, 28 Mar 2005 08:32:42 +0800, lilixinCQU wrote:

> openvpn-users:
>    How can I disable the DHCP function of OpenVpn Server and assig a
>    static IP to my client? Can some one give me advice ?

You're using server mode, so I take it you have multiple clients?

You can either use a ifconfig-pool-persist file with seconds set to 0
(with the caveat that this prevents systems with their IPs *not* specified
in the file from having them persisted), or, better, use a
client-config-dir to specify ifconfig-push directives.

This is covered in the man page.

One of the users I support is having the same problem (I think). 
Since the connection established fine, I just assumed that the
software the GPRS card uses under Windows ignores changes to the
routing table after the GPRS link is brought up.

I'll be thrilled if it's just an MTU setting...but in that case, would
not the GPRS interface just fragment them for you?

-Tom


On Sat, 26 Mar 2005 20:15:50 -0600, Charles Duffy <cduffy@...> wrote:
> On Sun, 27 Mar 2005 09:42:49 +0800, lilixinCQU wrote:
> 
> > HELP !
> > I test openvpn V2  in ADSL ,all is ok. But when a client use GRPS,it's
> > wrong.Can anyone give advice?
> 
> Well, you're not really giving enough information for a useful diagnosis.
> That said, I'd try tuning your MTU settings -- likely GPRS doesn't allow
> very large UDP packets.
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 


-- 
Tom Monaco
tbmonaco@...

http://csgeekpyro.blogspot.com

Tom Monaco wrote:

>One of the users I support is having the same problem (I think). 
>Since the connection established fine, I just assumed that the
>software the GPRS card uses under Windows ignores changes to the
>routing table after the GPRS link is brought up.
>
>I'll be thrilled if it's just an MTU setting...but in that case, would
>not the GPRS interface just fragment them for you?
>
>-Tom
>
>
>On Sat, 26 Mar 2005 20:15:50 -0600, Charles Duffy <cduffy@...> wrote:
>  
>
>>On Sun, 27 Mar 2005 09:42:49 +0800, lilixinCQU wrote:
>>
>>    
>>
>>>HELP !
>>>I test openvpn V2  in ADSL ,all is ok. But when a client use GRPS,it's
>>>wrong.Can anyone give advice?
>>>      
>>>
>>Well, you're not really giving enough information for a useful diagnosis.
>>That said, I'd try tuning your MTU settings -- likely GPRS doesn't allow
>>very large UDP packets.
>>
>>-------------------------------------------------------
>>SF email is sponsored by - The IT Product Guide
>>Read honest & candid reviews on hundreds of IT Products from real users.
>>Discover which products truly live up to the hype. Start reading now.
>>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>>_______________________________________________
>>Openvpn-users mailing list
>>Openvpn-users@...
>>https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>>    
>>
>
>
>  
>

Just to shine a ray of hope without adding anything to the technical side of this discussion: I use OpenVPN all the time over Verizon EVDO from Linux (Suse9.2Pro) and Windows XP Pro.  I did not make any MTU or other changes to get it to work.

gt

-- 

_____

Secure Wireless Networking Now

Glynn Taylor

President

WiFiConsulting, Inc.

Voice 202-667-5282

Fax 202-478-1871

GT@...

http://www.WiFiConsulting.com

http://www.HotSpotVPN.com

and soon: http://www.DCSansWires.net (A Washington DC wireless ISP)

The information contained in this e-mail message may involve confidential and/or privileged material that is solely transmitted for the purposes of the intended recipient(s). If the reader of this message is not an intended recipient, or if this message has been inadvertently directed to your attention, you are hereby notified that you have received this message and any attached document(s) in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and delete and destroy all copies of the original message.

Any other use of this email by you is prohibited.

_____

> Just as a followup to my self here:
 >
 > Using the exact same config files, everything works perfect when set
 > to TCP. As soon as it is changed to UDP, these errors kick in.
 >
 > So, I have a work around for now. But, this does indicate to me
 > something is wrong with either the tun driver on OS X, or openvpn on
 > OS X.

 >One way to do the latter is to use the --rcvbuf and --sndbuf parameters to
 >use a lower value.  Since the kernel appears to be set to use 8192, try
 >lower values than this.

I have the same setup and the same problem. --rcvbuf and --sndbuf don't 
resolve it.
If I use really small values, like 1024, I get another error instead:

Wed Apr 13 16:22:23 2005 us=65586 write UDPv4: Message too long (code=40)

If I set the buffers to e.g. 1500 (same as MTU), I get the OP's errors.

Anyone?
Muell

confirm 855012


.

confirm 626868

I got a little ambitious and decided to install OpenVPN. After fighting =
with
it for a couple nights I have it working. But I just am noticing some
"warning" messages in the client connect log and I am hoping someone on =
the
list may be able to help me out and tell me where I goofed.

=20

Thanks in Advance.

=20

------Here are the entries that concern me from my client log--------

=20

=20

Sun Jul 17 19:10:04 2005 us=3D91173 NOTE: Options consistency check may =
be
skewed by version differences

Sun Jul 17 19:10:04 2005 us=3D91220 WARNING: 'version' is used =
inconsistently,
local=3D'version V4', remote=3D'version V0 UNDEF'

Sun Jul 17 19:10:04 2005 us=3D91240 WARNING: 'dev-type' is present in =
local
config but missing in remote config, local=3D'dev-type tap'

Sun Jul 17 19:10:04 2005 us=3D91258 WARNING: 'link-mtu' is present in =
local
config but missing in remote config, local=3D'link-mtu 1590'

Sun Jul 17 19:10:04 2005 us=3D91276 WARNING: 'tun-mtu' is present in =
local
config but missing in remote config, local=3D'tun-mtu 1532'

Sun Jul 17 19:10:04 2005 us=3D91293 WARNING: 'proto' is present in local
config but missing in remote config, local=3D'proto UDPv4'

Sun Jul 17 19:10:04 2005 us=3D91312 WARNING: 'comp-lzo' is present in =
local
config but missing in remote config, local=3D'comp-lzo'

Sun Jul 17 19:10:04 2005 us=3D91330 WARNING: 'keydir' is present in =
local
config but missing in remote config, local=3D'keydir 0'

Sun Jul 17 19:10:04 2005 us=3D91349 WARNING: 'cipher' is present in =
local
config but missing in remote config, local=3D'cipher AES-128-CBC'

Sun Jul 17 19:10:04 2005 us=3D91366 WARNING: 'auth' is present in local =
config
but missing in remote config, local=3D'auth SHA1'

Sun Jul 17 19:10:04 2005 us=3D91383 WARNING: 'keysize' is present in =
local
config but missing in remote config, local=3D'keysize 128'

Sun Jul 17 19:10:04 2005 us=3D91401 WARNING: 'tls-auth' is present in =
local
config but missing in remote config, local=3D'tls-auth'

Sun Jul 17 19:10:04 2005 us=3D91418 WARNING: 'key-method' is present in =
local
config but missing in remote config, local=3D'key-method 2'

Sun Jul 17 19:10:04 2005 us=3D91436 WARNING: 'tls-server' is present in =
local
config but missing in remote config, local=3D'tls-server'

=20

=20

=20

Can anyone please tell me what I am missing? How do I get rid of all =
these
warning messages?=20

=20

Thanks in advance.

=20

Troy

=20

=20

Ok here is a client config:

=20

SNIP>>>>>>>>>>>>>>>>>>

# tun-style tunnel

dev tap0

=20

#OpenVPN Standard port (UDP)

port 1194

=20

#Local for testing only

remote 10.126.26.254

=20

#Remote for testing

#remote 139.157.237.176

=20

#Cipher to use

cipher AES-128-CBC

=20

#Enable Compression to save bandwidth

comp-lzo

=20

# tls parameters

tls-client

tls-auth ta.key 1

=20

#Keys

ca ca.crt

cert SicBoy.crt

key SicBoy.key

=20

# get more configuration from the server

pull

=20

# logging verbosity

verb 5

=20

END SNIP>>>>>>>>>>>>>>>>>>>>>>>>

=20

And here is the server config:

=20

SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>

=20

The server side of the config didn't come through on my end...

Are you sure both sides of the VPN are the same version?

Also good to put a subject on the message that way more people are 
likely to look at it ;-)



troy wrote:
> I got a little ambitious and decided to install OpenVPN. After fighting 
> with it for a couple nights I have it working. But I just am noticing 
> some “warning” messages in the client connect log and I am hoping 
> someone on the list may be able to help me out and tell me where I goofed.
> 
>  
> 
> Thanks in Advance.
> 
>  
> 
> ------Here are the entries that concern me from my client log--------
> 
>  
> 
>  
> 
> Sun Jul 17 19:10:04 2005 us=91173 NOTE: Options consistency check may be 
> skewed by version differences
> 
> Sun Jul 17 19:10:04 2005 us=91220 WARNING: 'version' is used 
> inconsistently, local='version V4', remote='version V0 UNDEF'
> 
> Sun Jul 17 19:10:04 2005 us=91240 WARNING: 'dev-type' is present in 
> local config but missing in remote config, local='dev-type tap'
> 
> Sun Jul 17 19:10:04 2005 us=91258 WARNING: 'link-mtu' is present in 
> local config but missing in remote config, local='link-mtu 1590'
> 
> Sun Jul 17 19:10:04 2005 us=91276 WARNING: 'tun-mtu' is present in local 
> config but missing in remote config, local='tun-mtu 1532'
> 
> Sun Jul 17 19:10:04 2005 us=91293 WARNING: 'proto' is present in local 
> config but missing in remote config, local='proto UDPv4'
> 
> Sun Jul 17 19:10:04 2005 us=91312 WARNING: 'comp-lzo' is present in 
> local config but missing in remote config, local='comp-lzo'
> 
> Sun Jul 17 19:10:04 2005 us=91330 WARNING: 'keydir' is present in local 
> config but missing in remote config, local='keydir 0'
> 
> Sun Jul 17 19:10:04 2005 us=91349 WARNING: 'cipher' is present in local 
> config but missing in remote config, local='cipher AES-128-CBC'
> 
> Sun Jul 17 19:10:04 2005 us=91366 WARNING: 'auth' is present in local 
> config but missing in remote config, local='auth SHA1'
> 
> Sun Jul 17 19:10:04 2005 us=91383 WARNING: 'keysize' is present in local 
> config but missing in remote config, local='keysize 128'
> 
> Sun Jul 17 19:10:04 2005 us=91401 WARNING: 'tls-auth' is present in 
> local config but missing in remote config, local='tls-auth'
> 
> Sun Jul 17 19:10:04 2005 us=91418 WARNING: 'key-method' is present in 
> local config but missing in remote config, local='key-method 2'
> 
> Sun Jul 17 19:10:04 2005 us=91436 WARNING: 'tls-server' is present in 
> local config but missing in remote config, local='tls-server'
> 
>  
> 
>  
> 
>  
> 
> Can anyone please tell me what I am missing? How do I get rid of all 
> these warning messages?
> 
>  
> 
> Thanks in advance.
> 
>  
> 
> Troy
> 
>  
> 
>  
> 
> Ok here is a client config:
> 
>  
> 
> SNIP>>>>>>>>>>>>>>>>>>
> 
> # tun-style tunnel
> 
> dev tap0
> 
>  
> 
> #OpenVPN Standard port (UDP)
> 
> port 1194
> 
>  
> 
> #Local for testing only
> 
> remote 10.126.26.254
> 
>  
> 
> #Remote for testing
> 
> #remote 139.157.237.176
> 
>  
> 
> #Cipher to use
> 
> cipher AES-128-CBC
> 
>  
> 
> #Enable Compression to save bandwidth
> 
> comp-lzo
> 
>  
> 
> # tls parameters
> 
> tls-client
> 
> tls-auth ta.key 1
> 
>  
> 
> #Keys
> 
> ca ca.crt
> 
> cert SicBoy.crt
> 
> key SicBoy.key
> 
>  
> 
> # get more configuration from the server
> 
> pull
> 
>  
> 
> # logging verbosity
> 
> verb 5
> 
>  
> 
> END SNIP>>>>>>>>>>>>>>>>>>>>>>>>
> 
>  
> 
> And here is the server config:
> 
>  
> 
> SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 
>  
>

Oops! Ok here is the server side config. The server and the client are =
both
running OpenVPN 2.x

# we are a multi-client udp server
mode    server

# tun-style tunnel
port    1194
dev     tap0

#Cipher
cipher AES-128-CBC   # AES

# TLS parameters
tls-server

#Keys
tls-auth /etc/openvpn/keys/ta.key 0  # This file is secret
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/Cerberus.crt
key /etc/openvpn/keys/Cerberus.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

# virtual endpoints (are these arbitrary?)
ifconfig 10.10.33.1 255.255.255.0

# pool of IPs for connecting clients
push "ip-win32 dynamic"
ifconfig-pool 10.10.33.200 10.10.33.250 255.255.255.0

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10

#Allow OpenVPN connected systems to see each other
client-to-client

# autoconfig all IP traffic over VPN
push    "route 10.0.0.0 255.0.0.0 10.10.33.1"
push    "dhcp-option DNS 10.10.26.254"
push    "dhcp-option WINS 10.10.27.26"
push    "dhcp-option DOMAIN Vallhalla.network"
push    "dhcp-option NBT 2"


# change to lower priviledges for more security
user    nobody
group   nogroup

#Log Location
status /var/log/openvpn-status.log
log         /var/log/openvpn.log

# logging verbosity
verb 4
mute 20

keepalive 10 60

END SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

-----Original Message-----
From: openvpn-users-admin@...
[mailto:openvpn-users-admin@...] On Behalf Of Glen
Marchesani
Sent: Wednesday, July 20, 2005 7:15 AM
To: troy
Cc: openvpn-users@...
Subject: Re: [Openvpn-users] (no subject)


The server side of the config didn't come through on my end...

Are you sure both sides of the VPN are the same version?

Also good to put a subject on the message that way more people are=20
likely to look at it ;-)



troy wrote:
> I got a little ambitious and decided to install OpenVPN. After =
fighting=20
> with it for a couple nights I have it working. But I just am noticing=20
> some "warning" messages in the client connect log and I am hoping=20
> someone on the list may be able to help me out and tell me where I =
goofed.
>=20
> =20
>=20
> Thanks in Advance.
>=20
> =20
>=20
> ------Here are the entries that concern me from my client log--------
>=20
> =20
>=20
> =20
>=20
> Sun Jul 17 19:10:04 2005 us=3D91173 NOTE: Options consistency check =
may be=20
> skewed by version differences
>=20
> Sun Jul 17 19:10:04 2005 us=3D91220 WARNING: 'version' is used=20
> inconsistently, local=3D'version V4', remote=3D'version V0 UNDEF'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91240 WARNING: 'dev-type' is present in=20
> local config but missing in remote config, local=3D'dev-type tap'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91258 WARNING: 'link-mtu' is present in=20
> local config but missing in remote config, local=3D'link-mtu 1590'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91276 WARNING: 'tun-mtu' is present in =
local=20
> config but missing in remote config, local=3D'tun-mtu 1532'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91293 WARNING: 'proto' is present in =
local=20
> config but missing in remote config, local=3D'proto UDPv4'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91312 WARNING: 'comp-lzo' is present in=20
> local config but missing in remote config, local=3D'comp-lzo'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91330 WARNING: 'keydir' is present in =
local=20
> config but missing in remote config, local=3D'keydir 0'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91349 WARNING: 'cipher' is present in =
local=20
> config but missing in remote config, local=3D'cipher AES-128-CBC'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91366 WARNING: 'auth' is present in =
local=20
> config but missing in remote config, local=3D'auth SHA1'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91383 WARNING: 'keysize' is present in =
local=20
> config but missing in remote config, local=3D'keysize 128'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91401 WARNING: 'tls-auth' is present in=20
> local config but missing in remote config, local=3D'tls-auth'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91418 WARNING: 'key-method' is present =
in=20
> local config but missing in remote config, local=3D'key-method 2'
>=20
> Sun Jul 17 19:10:04 2005 us=3D91436 WARNING: 'tls-server' is present =
in=20
> local config but missing in remote config, local=3D'tls-server'
>=20
> =20
>=20
> =20
>=20
> =20
>=20
> Can anyone please tell me what I am missing? How do I get rid of all=20
> these warning messages?
>=20
> =20
>=20
> Thanks in advance.
>=20
> =20
>=20
> Troy
>=20
> =20
>=20
> =20
>=20
> Ok here is a client config:
>=20
> =20
>=20
> SNIP>>>>>>>>>>>>>>>>>>
>=20
> # tun-style tunnel
>=20
> dev tap0
>=20
> =20
>=20
> #OpenVPN Standard port (UDP)
>=20
> port 1194
>=20
> =20
>=20
> #Local for testing only
>=20
> remote 10.126.26.254
>=20
> =20
>=20
> #Remote for testing
>=20
> #remote 139.157.237.176
>=20
> =20
>=20
> #Cipher to use
>=20
> cipher AES-128-CBC
>=20
> =20
>=20
> #Enable Compression to save bandwidth
>=20
> comp-lzo
>=20
> =20
>=20
> # tls parameters
>=20
> tls-client
>=20
> tls-auth ta.key 1
>=20
> =20
>=20
> #Keys
>=20
> ca ca.crt
>=20
> cert SicBoy.crt
>=20
> key SicBoy.key
>=20
> =20
>=20
> # get more configuration from the server
>=20
> pull
>=20
> =20
>=20
> # logging verbosity
>=20
> verb 5
>=20
> =20
>=20
> END SNIP>>>>>>>>>>>>>>>>>>>>>>>>
>=20
> =20
>=20
> And here is the server config:
>=20
> =20
>=20
> SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>=20
> =20
>=20



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. =
http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
_______________________________________________
Openvpn-users mailing list
Openvpn-users@...
https://lists.sourceforge.net/lists/listinfo/openvpn-users

On Wed, 20 Jul 2005 09:05:25 -0600, troy wrote:

> Oops! Ok here is the server side config. The server and the client are
> both running OpenVPN 2.x

Are you sure one of them doesn't have a different version installed
somewhere else, earlier in the path?

Also, as an aside, you might want to consider using the "server"
directive, which will make several of the other items in your config
redundant.

Ok I am confused. I thought that I did have the "server" directive in my
server config...=20

SNIP>>>>>>>>>>>
# we are a multi-client udp server
mode    server
END SNIP>>>>>>>>

Can you please clarify your statement for me?=20

In answer to your second question regarding possible version =
differences,
here are the versions that I am running:

Server =3D Version: 2.0 Rev 1
Client =3D openvpn-2.0-gui-1.0=20

I hope this help clarify things a bit.

If you have any suggestions or see any obvious mistakes in my config =
please
feel free to point them out to me clearly since I am a bit of a newbie =
and
if your recommendations are vague all that will do is confuse me more. =
:)

Thanks again for your quick response! This is a good list. NO spam yet. =
(Joy
Joy)

Troy

-----Original Message-----
From: openvpn-users-admin@...
[mailto:openvpn-users-admin@...] On Behalf Of Charles
Duffy
Sent: Wednesday, July 20, 2005 10:56 AM
To: openvpn-users@...
Subject: [Openvpn-users] RE: Warning messages

On Wed, 20 Jul 2005 09:05:25 -0600, troy wrote:

> Oops! Ok here is the server side config. The server and the client are
> both running OpenVPN 2.x

Are you sure one of them doesn't have a different version installed
somewhere else, earlier in the path?

Also, as an aside, you might want to consider using the "server"
directive, which will make several of the other items in your config
redundant.



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. =
http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
_______________________________________________
Openvpn-users mailing list
Openvpn-users@...
https://lists.sourceforge.net/lists/listinfo/openvpn-users

On Wed, 2005-07-20 at 13:20 -0600, troy wrote:
> Ok I am confused. I thought that I did have the "server" directive in my
> server config... 

  --mode server
is a different thing from
  --server

It's a terseness thing, not correctness -- the server directive simply
does everything "mode server" does and more, so you can take out a bunch
of other miscellany from your file.

WRT the warnings you're getting, I'm not sure why you'd see those.
Running with a high enough verbosity level (not higher than 4), you
ought to check the options lists used for the consistancy checks. The
lists themselves, as opposed to the warnings generated from their
inconsistancies, might be enlightening.

Cristiano Furtado dos Santos       
Administrador de Sistemas Linux
Salvador - Bahia                          
Fedora Core 4                              

__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger 
http://br.download.yahoo.com/messenger/

subscribe

unsubscribe

Hey. I've got an unusual set of requirements for a VPN here, and,  
rather than waste days messing around with it, I thought I'd ask you  
folks first.

Essentially, I've got one machine behind a restrictive firewall which  
blocks incoming connections and severely rate-limits outgoing TCP  
traffic. I also have a machine outside the firewall with lots of  
bandwidth and multiple assigned IP addresses.

What I'd like to do is to set up a VPN connection such that all  
connections to a particular IP on the server are redirected to my  
machine across the VPN. Is this possible with OpenVPN, and, if so,  
what specific configuration options should I take note of?

Hi,

I tried to set up openvpn-2.0.2. I took over the sample script for the
firewall and added my personal settings. When I try to connect it gets until
"Initialisation sequence complete", but nothing is going on. I am not able
to ping the corporate network. I did some further checks and the pings are
reaching the machine dedicated to, but nothing returns from the firewall. As
I took the sample script I cannot imagine of any problem with the firewall
script. For completeness reasons here is the snipped iptables-save output:

--snip--
# Generated by iptables-save v1.2.11 on Mon Sep 12 12:43:05 2005
*nat
:PREROUTING ACCEPT [17243:1443111]
:POSTROUTING ACCEPT [10:724]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE 
COMMIT
# Completed on Mon Sep 12 12:43:05 2005
# Generated by iptables-save v1.2.11 on Mon Sep 12 12:43:05 2005
*filter
:INPUT DROP [803:69374]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [267:23990]
-A INPUT -s 127.0.0.1 -i eth1 -j DROP 
-A INPUT -d 127.0.0.1 -i eth1 -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -d 127.0.0.1 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 127.0.0.1 -i eth1 -j DROP 
-A FORWARD -d 127.0.0.1 -i eth1 -j DROP 
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu 
-A FORWARD -o eth1 -p tcp -m tcp --sport 137:139 -j DROP 
-A FORWARD -o eth1 -p udp -m udp --sport 137:139 -j DROP 
-A FORWARD -s ! 192.168.0.0/255.255.255.0 -i eth0 -j DROP 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -o eth1 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --sport 137:139 -j DROP 
-A OUTPUT -o eth1 -p udp -m udp --sport 137:139 -j DROP 
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 25 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -j ACCEPT 
-A OUTPUT -o eth1 -m state --state NEW -j ACCEPT 
COMMIT
# Completed on Mon Sep 12 12:43:05 2005
--snip--

Does anyone of you have hint? 
Thanks in advance, Christophorus

-- 
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner

Christophorus Laube wrote:
> Hi,
> 
> I tried to set up openvpn-2.0.2. I took over the sample script for the
> firewall and added my personal settings. When I try to connect it gets until
> "Initialisation sequence complete", but nothing is going on. I am not able
> to ping the corporate network. I did some further checks and the pings are
> reaching the machine dedicated to, but nothing returns from the firewall. As
> I took the sample script I cannot imagine of any problem with the firewall
> script. For completeness reasons here is the snipped iptables-save output:
> 
> --snip--
> # Generated by iptables-save v1.2.11 on Mon Sep 12 12:43:05 2005
> *nat
> :PREROUTING ACCEPT [17243:1443111]
> :POSTROUTING ACCEPT [10:724]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE 
> COMMIT
> # Completed on Mon Sep 12 12:43:05 2005
> # Generated by iptables-save v1.2.11 on Mon Sep 12 12:43:05 2005
> *filter
> :INPUT DROP [803:69374]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [267:23990]
> -A INPUT -s 127.0.0.1 -i eth1 -j DROP 
> -A INPUT -d 127.0.0.1 -i eth1 -j DROP 
> -A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
> -A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
> -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
> -A INPUT -s 127.0.0.1 -j ACCEPT 
> -A INPUT -d 127.0.0.1 -j ACCEPT 
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
> -A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
> -A INPUT -i tun+ -j ACCEPT 
> -A INPUT -i eth0 -j ACCEPT 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -s 127.0.0.1 -i eth1 -j DROP 
> -A FORWARD -d 127.0.0.1 -i eth1 -j DROP 
> -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
> -A FORWARD -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
> -A FORWARD -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu 
> -A FORWARD -o eth1 -p tcp -m tcp --sport 137:139 -j DROP 
> -A FORWARD -o eth1 -p udp -m udp --sport 137:139 -j DROP 
> -A FORWARD -s ! 192.168.0.0/255.255.255.0 -i eth0 -j DROP 
> -A FORWARD -i tun+ -j ACCEPT 
> -A FORWARD -i eth0 -j ACCEPT 
> -A FORWARD -o eth1 -m state --state NEW -j ACCEPT 
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 137:139 -j DROP 
> -A OUTPUT -o eth1 -p udp -m udp --sport 137:139 -j DROP 
> -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT 
> -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT 
> -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT 
> -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT 
> -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 25 -j ACCEPT 
> -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -j ACCEPT 
> -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT 
> COMMIT
> # Completed on Mon Sep 12 12:43:05 2005
> --snip--
> 
> Does anyone of you have hint? 

Do you have a return route?

cheers

Erich

Sorry, I do not understand completely.
I set up the OpenVPN on a firewall in order to get into the network behind. 
When I do a "route" on that firewall this is displayed:

10.8.0.2		*		255.255.255.255	UH	0      0        0 tun0
10.8.0.0		10.8.0.2	255.255.255.0		UG	0      0        0 tun0
192.168.0.0	*		255.255.255.0		U	0      0        0 eth0
62.169.3.0	*		255.255.255.0		U	0      0        0 eth1
link-local		*		255.255.0.0		U	0      0        0 eth0
loopback		*		255.0.0.0			U	0      0        0 lo
default		iprice-gw.seman 0.0.0.0		UG	0      0        0 eth1

But the gateway to the 10.80.0.x network should be the 10.8.0.1, shouldn't it?
The two 10.8.0.x routes come from openvpn, clearly. But they are set 
automatically. Is there a possibility to set them another way and how should 
this look like?
Thanks, Christophorus

Christophorus Laube wrote:
> Sorry, I do not understand completely
> I set up the OpenVPN on a firewall in order to get into the network behind. 
> When I do a "route" on that firewall this is displayed:
> 
> 10.8.0.2		*		255.255.255.255	UH	0      0        0 tun0
> 10.8.0.0		10.8.0.2	255.255.255.0		UG	0      0        0 tun0
> 192.168.0.0	*		255.255.255.0		U	0      0        0 eth0
> 62.169.3.0	*		255.255.255.0		U	0      0        0 eth1
> link-local		*		255.255.0.0		U	0      0        0 eth0
> loopback		*		255.0.0.0			U	0      0        0 lo
> default		iprice-gw.seman 0.0.0.0		UG	0      0        0 eth1
> 
> But the gateway to the 10.80.0.x network should be the 10.8.0.1, shouldn't it?
> The two 10.8.0.x routes come from openvpn, clearly. But they are set 
> automatically. Is there a possibility to set them another way and how should 
> this look like?


This route table looks OK to me.  I think your problem lies elsewhere.

If the machine you are pinging is indeed receiving the pings then the
problem is likely either:

A. as Erich suggested, that you don't have a return route (i.e. neither
the pinged machine nor its default gateway have a route to the 10.8.0.0
network), and the replies are getting lost.

or

B. that your firewall is blocking the replies.

Is your VPN server the default gateway of the pinged machine?  If not
then the problem is probably A and you need to add a route on the LAN's
default gateway to redirect 10.8.0.0 traffic to your VPN server (or add
a route directly on the pinged machine).  If your VPN server *is* the
defualt gateway, then the problem is likely B, and you might try
liberally adding some -j LOG rules to your firewall script and tail -f
the log while you ping to see if anything is bouncing.

You might also re-read this section of the HOWTO:
http://openvpn.net/howto.html#scope

and go to the FAQ at http://openvpn.net/faq.html and read the section
titled "I've successfully set up OpenVPN and can ping between both
OpenVPN peers, however I cannot reach any of the other machines on the
remote subnet. What's the problem?"

Hope that helps.

Nathan

Hello openvpn-users,

Can someone help me, I want to use OpenVPN project without distributing TAPINSTALL.EXE and of course without using it i.e. I want to install TAP driver from INF file with my own program. I write in DELPHI, but and some C source can help me

Best regards, 
  
Hristo Markow
airsoft@...
2005-10-02

confirm 821876

-- 
XXLadsl ponuda do 15.01.2006.- ve=e6e brzine, iste cijene, a uz priklju=e8ak dobivate
i DVD player. Uz XXLadsl surfajte i dalje 60 dana neograni=e8eno za samo 1 kunu!

Hey All,

I have a network interface config question  Not sure if this is the best =
newsgroup to post this to.  The question arises from using openvpn =
(grins). =20

I have finally successfully configured a Windows 2003 dhcp server with =
openvpn.  When my clients connect, they issue a DHCP request, and then =
they receive an IP address... Well the windows clients anyways... The =
Mac OSX clients take a bit more cohersion.  Initially when the Mac OSX =
(10.4) connects to the vpn, they don't automatically get an IP address =
from the DHCP server, thus I need to write a client "up" script.

The only way I can figure out how to do this in a script is to issue a =
"ipconfig" command, "ipconfig set tap0 DHCP".  Problem is that ipconfig =
is essentially deprecated from reading the man page, and I'm a bit =
apprehensive to use a deprecated command in a production script.  Does =
anyone have any ideas what other equivalent commands I could issue to =
get the client Mac OSX machines to do a DHCP request?  The man page =
suggests using the system configuration framework, which I'd imagine =
requires writing code.

Also, in the event that I use an up script to get a DHCP address, would =
I need an equivalent "down" script to do any cleanup or shutdown, etc.. =
?

Thanks,
Matt
--
Matt Weiss - Software Journeyman
X-Rite, Incorporated
3100 44th Street SW
Grandville, MI 49418

--

Regards,
Airtel Telephone & Broadband services.

This email is sent on behalf of Cromwell Business Systems Ltd. and is strictly confidential and intended solely for the addressee(s).  It may contain personal and confidential information and as such may be protected by the Data Protection Act 1998.

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Cromwell Business Systems immediately on +44 (0)1353 650900 quoting the name of the sender and the addressee then delete it from your system.

Any views or opinions expressed within this email are those of the author, and do not necessarily represent those of Cromwell Business Systems.

Cromwell Business Systems have scanned this email for viruses but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Hi there,

 

Im pretty sure this has been posted on the list before and Im hoping someone
can point mer to a solution or help me to solve the problem.

 

The Setup is as follows:

 

I have OpenVPN setup as a Routed Server on Win2K3 Server.

 

I have windows XP Clients dialing in and making a connection. The client can
ping the server and vice versa.

The problem I have is that I am trying to get SNMP data from the clients
behind the XP client. Anyone help with this or point me in the right
direction.

 

 

 

Anthony

Greetings OpenVPN users,
The openvpn.org home page contains this statement: "...OpenVPN  
support is beginning to appear on dedicated hardware devices."  I'm  
wondering if anyone can point me to some of these hardware devices?

If not, does anyone have recommendations for devices and/or software  
projects you'd recommend for building an OpenVPN Gateway Device?

I'm looking to deploy quite a few devices and would prefer something  
"out of the box".  My research has only turned up solutions involving  
a firmware linux install on generic devices... NSLU2-Linux (http:// 
 http://www.nslu2-linux.org/), OpenVPN Gateway Builder (http:// 
 http://www.schapiro.org/schlomo/ogb/).

Thanks!
Nick

Related Thread:
http://openvpn.net/archive/openvpn-users/2006-06/msg00098.html

Hi

Nick Riemondi wrote:
> Greetings OpenVPN users,
> The openvpn.org home page contains this statement: "...OpenVPN  
> support is beginning to appear on dedicated hardware devices."  I'm  
> wondering if anyone can point me to some of these hardware devices?
> 
> If not, does anyone have recommendations for devices and/or software  
> projects you'd recommend for building an OpenVPN Gateway Device?
> 
> I'm looking to deploy quite a few devices and would prefer something  
> "out of the box".  My research has only turned up solutions involving  
> a firmware linux install on generic devices... NSLU2-Linux (http:// 
> http://www.nslu2-linux.org/), OpenVPN Gateway Builder (http:// 
> http://www.schapiro.org/schlomo/ogb/).

I am successfully using the wrap board by pcengines
http://www.pcengines.ch with LEAF http://leaf.sourceforge.net

cheers

Erich

On Wed, 23 Aug 2006 01:35:39 +0400, Nick Riemondi <nick@...>  
wrote:
> projects you'd recommend for building an OpenVPN Gateway Device
OpenWRT is capable of being the OpenVPN server.

Tony.

On 8/22/06, Nick Riemondi <nick@...> wrote:
> Greetings OpenVPN users,
> The openvpn.org home page contains this statement: "...OpenVPN
> support is beginning to appear on dedicated hardware devices."  I'm
> wondering if anyone can point me to some of these hardware devices?
>
> If not, does anyone have recommendations for devices and/or software
> projects you'd recommend for building an OpenVPN Gateway Device?
>
> I'm looking to deploy quite a few devices and would prefer something
> "out of the box".  My research has only turned up solutions involving
> a firmware linux install on generic devices... NSLU2-Linux (http://
> http://www.nslu2-linux.org/), OpenVPN Gateway Builder (http://
> http://www.schapiro.org/schlomo/ogb/).
>
> Thanks!
> Nick
>
> Related Thread:
> http://openvpn.net/archive/openvpn-users/2006-06/msg00098.html
>
>

I use Soekris boxes running m0n0wall. OpenVPN is currently officially
unsupported on m0n0wall, but there is a custom image floating around
supporting it, which works well and has given me no real problems. I
link several branch offices with it, and it's a very nice one-stop
vpn/gateway/firewall solution. The Soekris boxes are reliable, since
there are no moving parts, and m0n0wall is very stable.

http://www.soekris.com
http://m0n0.ch/wall

Chris

Thanks everyone for your input, much appreciated.

Nick

On Aug 23, 2006, at 9:00 AM, Christopher Santero wrote:
>
> I use Soekris boxes running m0n0wall. OpenVPN is currently officially
> unsupported on m0n0wall, but there is a custom image floating around
> supporting it, which works well and has given me no real problems. I
> link several branch offices with it, and it's a very nice one-stop
> vpn/gateway/firewall solution. The Soekris boxes are reliable, since
> there are no moving parts, and m0n0wall is very stable.
>
> http://www.soekris.com
> http://m0n0.ch/wall
>
> Chris

Great big huge thanx to everyone working on this incredible piece of
software.
OpenVPN has answered my every need and is incredibly stable, I'm syncing
24GB over the crappiest ADSL-line money can buy (Thank <fill in diety of
choice> time is NOT essential) and it has been trickling along for 14 day=
s
straight withouth a glitch.
I've used several commercial vpn's before without being anywhere near the
stability of this thing!
Once again: Thank you very much!

Sturla

Hi,

 

   Just tried to install the latest beta (OpenVPN 2.1_beta16 -- released
on 2006.10.01) on my windows server 64 bit, had a nice crash and
reboot...

 

 

________________________________
Eric

On 10/3/06, Eric Lamer <eric.lamer@...> wrote:
>
> Hi,
>
>    Just tried to install the latest beta (OpenVPN 2.1_beta16 -- released =
on
> 2006.10.01) on my windows server 64 bit, had a nice crash and reboot=85
> ________________________________
>  Eric

The same happened here during the installation of 2.1beta16 on a dual
xeon EMT64 windows server. According to the installer output the
system was detected as 32-bit ("We are running on a 32-bit system.").
The installer and the OS crashed during the tap-win32 driver
installation.

Panagiotis

About a month ago, something happened which caused my Windows XP clients to
not be able to connect to Windows 2003 shares or Samba shares over the VPN.
All other network traffic works perfectly (ping, ssh, etc...).  The server
is set to push the WINS server, which shows up in 'ipconfig /all'.  'net
view' shows the available computers, after about 2 minutes.

When I attempt to connect to a Windows share, it just hangs for about 5
minutes.  After that time, a username/password dialog box pops up for
authenticating myself.  In Windows' infinite wisdom, you can't enter your
current username/password.  If I change to a different username/password, it
sometimes will work.

Anyone else experiencing this?

Windows XP SP2 Clients (OpenVPN 2.0.9)
OpenBSD 3.8 Server (OpenVPN 2.0.6 & 2.0.9)
Windows Server SP1 File Server
Ubuntu Edgy Eft File Server

Stephen Gerstacker
Sr. Database Developer
Electronic Data Payment Systems
p: 866.578.9740 x114
f: 866.578.9740

Hello all,

I'm quite new to openvpn and really liked its features I've seen
working in the last days I'm using it. I was looking for some
information on capacity limitations of openvpn in the list archives
and openvpn homepage but didnt find what I was looking for...

One of my questions refers to the amount of certificates openvpn can
handle locally (for instance, created using the scripts in openvpn
package, or if there is any recommended PKI infrastructure for it).
Can it handle, lets say, 10.000 user certificates? I suspect that
would cause a huge seek time for the correct file, so I assume PKI
would be required. Maybe I'm wrong..

Also, I was looking for some info on any experienced high throughput
installation and amount of concurrent users.

Thanks in advance for any help.

--
Antonio

PKI and user certificates relate to the same thing.

The amount of certificates has no effect on the performance: The server
doesn't keep track of all files. It simply checks the signature of the
certificate of connecting clients (at connection time). Whether 1 or 1
million certificates were emitted doesn't make any difference.

Actually, according to your setup, the number of certificate might have one
indirect effect on performance: CRLs. If you use a CRL (black list of
revoked certificates), chances are your CRL is longer when you have more
clients. Then again, I don't thing the impact would be meaningful since it
should be compared to the total workload (including SSL encryption of
tunnels) which can also be expected to grow with the number of clients.

HTH,

Serge.
http://www.apptranslator.com


> -----Original Message-----
> From: openvpn-users-bounces@... 
> [mailto:openvpn-users-bounces@...] On 
> Behalf Of Antonio Forster
> Sent: mercredi 7 mars 2007 22:09
> To: openvpn-users@...
> Subject: [Openvpn-users] (no subject)
> 
> Hello all,
> 
> I'm quite new to openvpn and really liked its features I've 
> seen working in the last days I'm using it. I was looking for 
> some information on capacity limitations of openvpn in the 
> list archives and openvpn homepage but didnt find what I was 
> looking for...
> 
> One of my questions refers to the amount of certificates 
> openvpn can handle locally (for instance, created using the 
> scripts in openvpn package, or if there is any recommended 
> PKI infrastructure for it).
> Can it handle, lets say, 10.000 user certificates? I suspect 
> that would cause a huge seek time for the correct file, so I 
> assume PKI would be required. Maybe I'm wrong..
> 
> Also, I was looking for some info on any experienced high 
> throughput installation and amount of concurrent users.
> 
> Thanks in advance for any help.
> 
> --
> Antonio
> 
> --------------------------------------------------------------
> -----------
> Take Surveys. Earn Cash. Influence the Future of IT Join 
> SourceForge.net's Techsay panel and you'll get the chance to 
> share your opinions on IT & business topics through brief 
> surveys-and earn cash 
> http://www.techsay.com/default.php?page=join.php&p=sourceforge
> &CID=DEVDEV
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Serge,

first of all, thanks for the help


On 3/7/07, Serge Wautier <serge@...> wrote:
> PKI and user certificates relate to the same thing.
>
> The amount of certificates has no effect on the performance: The server
> doesn't keep track of all files. It simply checks the signature of the
> certificate of connecting clients (at connection time). Whether 1 or 1
> million certificates were emitted doesn't make any difference.
>
> Actually, according to your setup, the number of certificate might have one
> indirect effect on performance: CRLs. If you use a CRL (black list of
> revoked certificates), chances are your CRL is longer when you have more
> clients. Then again, I don't thing the impact would be meaningful since it
> should be compared to the total workload (including SSL encryption of
> tunnels) which can also be expected to grow with the number of clients.

do you have any information on testing performance on openvpn? Something like:

total throughput   X    concurrent clients   x  kind of processor

or any other performance testing.

TIA

Antonio

Hi folks:

I've got an issue with OpenVPN and a Dlink DCS-6620G camera.  The =
camera=20
can transmit either a UDP or TCP datastream for its picture, and the =
manual=20
recommends using UDP for better performance.  I've found that if I try =
to=20
view the UDP datastream over OpenVPN, when the OpenVPN connection itself =
is=20
a UDP connection, I get no picture.  However, if I set the camera to TCP =
I=20
get a picture.  If I use a TCP OpenVPN connection I get a picture from =
the=20
camera using either UDP or TCP. =20

Both OpenVPN connections are bridge mode connections using a windows =
host=20
and windows client.  I don't see any unusual errors in either the =
client=20
openvpn log or the server openvpn log.  The only messages I see are the=20
occasional backtrack error message in the client log, which show up now =
and=20
then whenever I use a UDP connection. =20


Suggestions welcome.

srw

On Friday Mar 23, 2007 around 2:11am, OpenVPN MailingList wrote,

> I've got an issue with OpenVPN and a Dlink DCS-6620G camera. 
> The camera can transmit either a UDP or TCP datastream for its 
> picture, and the manual recommends using UDP for better 
> performance.  I've found that if I try to view the UDP 
> datastream over OpenVPN, when the OpenVPN connection itself is 
> a UDP connection, I get no picture.  However, if I set the 
> camera to TCP I get a picture.  If I use a TCP OpenVPN 
> connection I get a picture from the camera using either UDP or 
> TCP.
my 2c thinks that this will be MTU related, since openvpn over 
tcp is letting TCP handle the fragmentation for you.  When you 
run in UDP mode, the VPN packets are (likely) dropped along the 
path as 'oversized', but the ICMP error message is never 
sent/accepted, so the packets never get trimmed.  If you have 
firewalls, turn them all off and try again.

The man page suggests this as a starting point:
               --tun-mtu 1500 --fragment 1300 --mssfix

&:-)

--
Linux - it's bug free! (each bug is free)

Hi all.

I'm needing to build a Suse9 install Cd that is as simple and as minimal as 
possible.

How would I consolidate all of the .rpm files into one disk so that only the 
packages that I intend to install are on the CD.  It seems that the system 
needs to know what disk the various packages are on.  How do I accomplish 
this?

TIA,

-- 
Mike Diehl

Hi,

i'm trying to set the local port with the "--lport" option.
OpenVPN ignores the option and chooses the port randomly.
Is this a bug or is the "--lport" option only allowed in udp mode ?

Here a few infos:

openvpn --version
OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  2 2007
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@...>

The config file

proto tcp-client
local 11.22.33.44
lport 50000
remote 55.66.77.88
rport 50001
dev tun0
ifconfig x.x.x.x x.x.x.x
secret mysecret.key
ping 10
ping-restart 12
verb 4

Thx a lot !

I can not print or ping from an XP home SP2 machine to a local ethernet
printer when openVPN is connected. I can print and ping from 2 millenium
computers on the LAN when connected. When I disconnect the print job goes
through and I can ping the printer from all 3 computers. I can ping and
connect to the 2 millenium computers (on the local LAN) when connected to
openVPN. The connection is an ethernet bridge. Both sides can see each
other's computers.
The trouble is on the client side. On the server side both the XP and
Win98 computers can print to their local LAN whether or not the openVPN is
connected.

PS I could not get the bridge to work until I installed 2 ethernet cards
on the server side. I also installed 2 ethernet cards on this client side.

One other client connection works fine with only one card. It connects
from a Win2K machine.

---------- Forwarded message ----------
From: stephen123@... <stephen123@...>
Date: May 1, 2007 2:41 AM
Subject: Printing on local LAN with Ethernet bridging
To: Leonard Isham <leonard.isham@...>


We are starting to use OpenVPN. Thank you James Yonan and everyone who has
worked on the program. This is my first time on a mailing list.
The program is mostly working. I set up an ethernet bridge. Each side can
see the
computers on the other side. However there is a problem on the client
side. When not
connected to OpenVPN, all computers on the client side can see each other
and the
192.168.2.130 network printer, a Canon MFC 8170c. When OpenVPN is
connected All computers can see each other but the XP home computer
running OpenVPN can not see the printer(ping fails). The other 2 computers
can however (One is millenium, one is Win98SE). I have not tried printing
across the  openVPN yet.

##### The Server machine has 2 ethernet cards.
# Running XP pro
# The router is 192.168.2.1 255.255.255.0. The DHCP is 192.168.2-40.
# Port 1194 is forwarded in router.
# The first ethernet card is 192.168.2.132
# The second card is bridged. The bridge is set to 10.8.0.1. Firewall
disabled.

##### the Client machine in the second office has 2 ethernet cards.
# Running XP Home
# The router is 192.168.2.129 255.255.255.0
# Port 1194 is forwarded in router.
# The first ethernet card is 192.168.2.132
# The second card is bridged. The bridge is 10.8.0.54. Firewall disabled.
# The other computers are 192.168.2.135 and 138.
# The networked printer is 192.168.2.130.

# Server side config file using ethernet bridging.
port 1194
proto udp
dev tap
dev-node OpenVPN
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.1 255.255.255.0 10.8.0.50 10.8.0.100
comp-lzo
persist-key
persist-tun
push "persist-key"
push "persist-tun"
ping-restart 60
ping-timer-rem
resolv-retry 86400
push "ping-restart 60"
status openvpn-status.log
verb 3
mute 10
push "route 192.168.2.0 255.255.255.0"
route 10.8.0.50 255.255.255.0
route 10.8.0.51 255.255.255.0
route 10.8.0.52 255.255.255.0

####### Client Side config file
client
dev tap
dev-node OpenVPN
proto udp
remote icaoaklandcamera.dyndns.org 1194
float
resolv-retry infinite
nobind
ping-timer-rem
resolv-retry 86400
ca ca.crt
cert  client4.crt
key client4.key
ns-cert-type server
comp-lzo
verb 3
mute 10


##### I would like to post what I have found about testing openVPN with
DSL and dialup.
##### But I do not know how to do it.

The problem. Testing openVPN. I have DSL at home for the Server side of
openVPN. The
client side is a mile or 2 away, very inconvienient. So I set up dial up
at home for
testing. Here is what I found. An internal modem does not work. The
response to pinging
is too slow. Sometimes I would get 1,2 or even 4 replies with time=1500ms
about. But then
it would fail on repeating the pinging. The solution is an external
hardware mode. Even
thought the ping time is slow it works and is consistent.




Leonard Isham
> Stephen,
>
> A few suggestions:
>
> With no subject many people will ignore your original message.
>
> With no real details most people who do read it will not bother to reply.
>
> Now as to details. What you stated was like I have 3 cars two work
> properly and one doesn't. No details = no answer.
>
> What are the config files w/o the comments, what is the local ip subnet,
> etc.
>
> Give yourself the best chance to get help.
>
> On 4/28/07, stephen123@... <stephen123@...> wrote:
>>
>> I can not print or ping from an XP home SP2 machine to a local ethernet
>> printer when openVPN is connected. I can print and ping from 2 millenium
>> computers on the LAN when connected. When I disconnect the print job
>> goes
>> through and I can ping the printer from all 3 computers. I can ping and
>> connect to the 2 millenium computers (on the local LAN) when connected
>> to
>> openVPN. The connection is an ethernet bridge. Both sides can see each
>> other's computers.
>> The trouble is on the client side. On the server side both the XP and
>> Win98 computers can print to their local LAN whether or not the openVPN
>> is
>> connected.
>>
>> PS I could not get the bridge to work until I installed 2 ethernet cards
>> on the server side. I also installed 2 ethernet cards on this client
>> side.
>>
>> One other client connection works fine with only one card. It connects
>> from a Win2K machine.
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@...
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>
>
> --
> Thank you for getting back to me. I appreciate it,
>
> Leonard Isham, CISSP
> Ostendo non ostento.
>
> http://sec-soapbox.blogspot.com/index.html
>



-- 
Thank you for getting back to me. I appreciate it,

Leonard Isham, CISSP
Ostendo non ostento.

http://sec-soapbox.blogspot.com/index.html

Hi All,
I got solution for network to network openvpn. see the url.
 http://christoph.fuchs.cc/openvpn/
 
Best Regards 
 
Tanaji Yadav ...nobody's born with the knowledge...
RedHat Cetrified Engineer
"If GNU/Linux does not have the solution, you've got the wrong problem."

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

<html><div style='background-color:'><DIV class=RTE>
<P><BR>393135c90705252131l41ad4806h148e196703bd2ade@...: text/plain; charset="iso-8859-1"<BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV>please open. thanks</DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMBENUS/2752??PS=47575" target="_top">Like the way Microsoft Office Outlook works? You’ll love Windows Live Hotmail.</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P><BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV>iD8DBQFGXvG1HSSgJy5aUScRAsakAJ99zffOP/k4sAvfqnNTu5xShTtJsQCfZDnl
<DIV></DIV>4FTPab3o8j94zdMDXgOMMnU=
<DIV></DIV>=ZOMg
<DIV></DIV>-----END PGP SIGNATURE-----
<DIV></DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2746??PS=47575" target="_top">Don’t miss your chance to WIN $10,000 and other great prizes from Microsoft Office Live</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P><BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2749??PS=47575" target="_top">Don’t miss your chance to WIN $10,000 and other great prizes from Microsoft Office Live</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P><BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2731??PS=47575" target="_top">Like puzzles? Play free games & earn great prizes. Play Clink now.</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P><BR>help<BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2752??PS=47575" target="_top">Make every IM count. Download Messenger and join the i’m Initiative now. It’s free.</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P>help. please open<BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMBENUS/2755??PS=47575" target="_top">Make every IM count. Download Messenger and join the i’m Initiative now. It’s free.</a> </html>

<html><div style='background-color:'><DIV class=RTE>
<P><BR><BR></P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV>please open</DIV></FONT></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2749??PS=47575" target="_top">Hotmail to go? Get your Hotmail, news, sports and much more!</a> </html>

In the thread "Re: [Openvpn-users] VPN will not work after restart in =
Windows XP
SP2"  on Sat, 19 Mar 2005
(http://openvpn.net/archive/openvpn-users/2005-03/msg00479.html) Mathias =
Sundman
wrote:=20

"The only way I could reproduce a similar problem was by using the last
installation and installing a _SECOND_ TAP device."
The problem was not getting an ip address by tun interface.=20

I have the same problem with OpenVPN 2.1_rc4 (released on 2007.04.25) on =
Win XP,
SP2 with no 3rd party firewall.
The question is: Is this really so that two years after this bug was =
found it's
still in OpenVPN???

Best regards,
Piotr Dobrogost
POLAND

I have a simple question, I think.=0A=0AI have a very small network at the =
office. Cable internet -to- a WRT54G router -to- 5 computers... All compute=
rs WinXP Pro, only one computer (it is running OpenVPN) needs to be accesse=
d from one remote location. I have tested with this minimum configuration:=
=0A=0A**Server**=0Adev tun=0Aifconfig 10.8.0.1 10.8.0.2=0Asecret static.key=
=0A=0A=0A**client**=0Aremote host.homedns.org=0Adev tun=0Aifconfig 10.8.0.2=
 10.8.0.1=0Asecret static.key=0A =0A=0AI can ping from either end with no p=
roblems. But I can not see any of the files on the server. Is there anythin=
g I need to do to be able to access files from the remote location? The rem=
ote location laptop can see and access the files when in the office and hoo=
ked to the office network.=0A=0AThnaks,=0ARich Elliott=0A=0A=0A       =0A__=
___________________________________________________________________________=
_______=0ATake the Internet to Go: Yahoo!Go puts the Internet in your pocke=
t: mail, news, photos & more. =0Ahttp://mobile.yahoo.com/go?refer=3D1GNXIC

--=20
Cacimar Zen=F3n

No imprimir si no es necesario. Protejamos el Medio Ambiente.

-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

A


Lp

Sent from iPhone

openvpn-users@...

Hi!

I am configuring openvpn with a linux box on the server side and a vista
laptop on client side. I'd like to route al traffic through the VPN using
the redirect-gateway configuration but I do not get it. How can I do to
really enorce ALL traffic through the tunnel?

So if I try a tracert from the client laptop to any destintion I get
everything through the VPN:
C:\Users\pep>tracert google.com

Tracing route to google.com [74.125.45.100]
over a maximum of 30 hops:

  1   178 ms   548 ms   518 ms  mylinuxbox.com [10.20.30.1]
  2   925 ms   362 ms   273 ms  192.168.254.254
  3     *        *      295 ms  bzn-6k-5-v201.routers.proxad.net
[212.27.55.126]

  4     *     2970 ms   281 ms  bzn-crs16-1-be1200.intf.routers.proxad.net
[212.
27.57.126]
  5   315 ms     *      349 ms  cbv-6k-1-po20.intf.routers.proxad.net
[212.27.50
.190]
  6   249 ms   270 ms  1051 ms  74.125.50.117
  7   273 ms   353 ms   286 ms  209.85.251.40
  8   359 ms   366 ms   404 ms  72.14.236.220
  9   404 ms   817 ms   352 ms  72.14.239.85
 10   393 ms   367 ms   369 ms  72.14.239.49
 11   471 ms   361 ms   372 ms  72.14.232.215
 12   494 ms   451 ms   450 ms  209.85.253.133
 13   348 ms     *     2970 ms  yx-in-f100.google.com [74.125.45.100]

Trace complete.

But if I try to tracert my own linux box the rout goes off the tunnel, see:
C:\Users\pep>tracert montblanc.homeip.net

Tracing route to mylinuxbox.com [xxx.xxx.xxx.xxx]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  192.168.1.1
  2    42 ms    42 ms    43 ms  192.168.153.1
  3    42 ms    43 ms    44 ms  49.Red-80-58-117.staticIP.rima-tde.net
[80.58.117.49]
  4     *       43 ms    43 ms 
So-5-0-0-0-grtbcntb1.red.telefonica-wholesale.net [84.16.9.241]
  5    64 ms    64 ms    65 ms 
So5-3-0-0-grtparix3.red.telefonica-wholesale.net [84.16.12.134]
  6    91 ms    79 ms    78 ms 
proxad-2-0-0-grtparix3.red.telefonica-wholesale.net [213.140.52.78]
  7    68 ms    65 ms    64 ms  th2-crs16-1-be1007.intf.routers.proxad.net
[212.27.50.137]
  8    68 ms     *       69 ms  bzn-6k-5-po6.intf.routers.proxad.net
[212.27.50.194]
  9    61 ms    63 ms    64 ms  lns-bzn-48.routers.proxad.net [212.27.55.78]
 10     *        *      155 ms  mylinuxbox.com [xxx.xxx.xxx.xxx]

Trace complete.



Bellow are my configuratins

Server side configuration:

port 245
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.20.30.0 255.255.255.0
push "redirect-gateway def1"
push "ip-win32 dynamic"
push "dhcp-option DNS 10.20.30.1"
push "dhcp-option DOMAIN mylinuxbox.com";
push "dhcp-option WINS 10.20.30.1"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3


Client side configuration:

client
dev tun
proto tcp
remote mylinuxbox.com 2222
resolv-retry infinite
nobind
persist-key
persist-tun
ca "D:\\Program Files\\OpenVPN\\keys\\ca.crt"
cert "D:\\Program Files\\OpenVPN\\keys\\peak.crt"
key "D:\\Program Files\\OpenVPN\\keys\\peak.key"
comp-lzo
verb 3


Thanks in advance for your advice guys!
Josep Serrano.

Hello Josep,

it would be nice if you choose the right subject for your e-mails next
time ;-)

Your main-issue might be that you want to tunnel your connections to the
maschine where the VPN-Server actually runs on. By default OpenVPN sets
a host-route to this maschine because it has to communicate with the
VPN-Server over the "normal" link and therefore it must not be routed
through the tun/tap-device of OpenVPN.

This issue can only be solved on the client. On linux I would suggest
using iptables and iproute2 and set up a second routing-table, but on
Windows I don't know if it is possible at all - but the technique
remains the same: Route connections on port 1194 to "mylinuxbox.com"
over the normal interface and everything else over the tun/tap-device of
the VPN-Connection.


Kind regards,

Bernd

mylists@... schrieb:
> Hi!
> 
> I am configuring openvpn with a linux box on the server side and a vista
> laptop on client side. I'd like to route al traffic through the VPN using
> the redirect-gateway configuration but I do not get it. How can I do to
> really enorce ALL traffic through the tunnel?
> 
> So if I try a tracert from the client laptop to any destintion I get
> everything through the VPN:
> C:\Users\pep>tracert google.com
> 
> Tracing route to google.com [74.125.45.100]
> over a maximum of 30 hops:
> 
>   1   178 ms   548 ms   518 ms  mylinuxbox.com [10.20.30.1]
>   2   925 ms   362 ms   273 ms  192.168.254.254
>   3     *        *      295 ms  bzn-6k-5-v201.routers.proxad.net
> [212.27.55.126]
> 
>   4     *     2970 ms   281 ms  bzn-crs16-1-be1200.intf.routers.proxad.net
> [212.
> 27.57.126]
>   5   315 ms     *      349 ms  cbv-6k-1-po20.intf.routers.proxad.net
> [212.27.50
> .190]
>   6   249 ms   270 ms  1051 ms  74.125.50.117
>   7   273 ms   353 ms   286 ms  209.85.251.40
>   8   359 ms   366 ms   404 ms  72.14.236.220
>   9   404 ms   817 ms   352 ms  72.14.239.85
>  10   393 ms   367 ms   369 ms  72.14.239.49
>  11   471 ms   361 ms   372 ms  72.14.232.215
>  12   494 ms   451 ms   450 ms  209.85.253.133
>  13   348 ms     *     2970 ms  yx-in-f100.google.com [74.125.45.100]
> 
> Trace complete.
> 
> But if I try to tracert my own linux box the rout goes off the tunnel, see:
> C:\Users\pep>tracert montblanc.homeip.net
> 
> Tracing route to mylinuxbox.com [xxx.xxx.xxx.xxx]
> over a maximum of 30 hops:
> 
>   1     3 ms     2 ms     2 ms  192.168.1.1
>   2    42 ms    42 ms    43 ms  192.168.153.1
>   3    42 ms    43 ms    44 ms  49.Red-80-58-117.staticIP.rima-tde.net
> [80.58.117.49]
>   4     *       43 ms    43 ms 
> So-5-0-0-0-grtbcntb1.red.telefonica-wholesale.net [84.16.9.241]
>   5    64 ms    64 ms    65 ms 
> So5-3-0-0-grtparix3.red.telefonica-wholesale.net [84.16.12.134]
>   6    91 ms    79 ms    78 ms 
> proxad-2-0-0-grtparix3.red.telefonica-wholesale.net [213.140.52.78]
>   7    68 ms    65 ms    64 ms  th2-crs16-1-be1007.intf.routers.proxad.net
> [212.27.50.137]
>   8    68 ms     *       69 ms  bzn-6k-5-po6.intf.routers.proxad.net
> [212.27.50.194]
>   9    61 ms    63 ms    64 ms  lns-bzn-48.routers.proxad.net [212.27.55.78]
>  10     *        *      155 ms  mylinuxbox.com [xxx.xxx.xxx.xxx]
> 
> Trace complete.
> 
> 
> 
> Bellow are my configuratins
> 
> Server side configuration:
> 
> port 245
> proto tcp
> dev tun
> ca /etc/openvpn/easy-rsa/keys/ca.crt
> cert /etc/openvpn/easy-rsa/keys/server.crt
> key /etc/openvpn/easy-rsa/keys/server.key
> dh /etc/openvpn/easy-rsa/keys/dh1024.pem
> server 10.20.30.0 255.255.255.0
> push "redirect-gateway def1"
> push "ip-win32 dynamic"
> push "dhcp-option DNS 10.20.30.1"
> push "dhcp-option DOMAIN mylinuxbox.com";
> push "dhcp-option WINS 10.20.30.1"
> client-to-client
> keepalive 10 120
> comp-lzo
> user nobody
> group nogroup
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
> 
> 
> Client side configuration:
> 
> client
> dev tun
> proto tcp
> remote mylinuxbox.com 2222
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca "D:\\Program Files\\OpenVPN\\keys\\ca.crt"
> cert "D:\\Program Files\\OpenVPN\\keys\\peak.crt"
> key "D:\\Program Files\\OpenVPN\\keys\\peak.key"
> comp-lzo
> verb 3
> 
> 
> Thanks in advance for your advice guys!
> Josep Serrano.

-- 
    \\\||///
  \\  - -  //
   (  @ @  )
-oOo--( )--oOo-------------------------------------------------------
 Firma Bernd Holzmüller                          http://www.tiggersWelt.net
                                                info@...
 Mönchstrasse 25                             Tel: 07 11 / 550 425-90
 70191 Stuttgart                             Fax: 07 11 / 550 425-99
 Deutschland/Germany                       OpenPGP/GnuPG: 0xDF553B9F

Not sure what you are running on the Vista box - but I would run
openVPN v2.1_rc15 - it has been stable for me and fixed some dns
issues I was having.

Good Luck.

On Fri, Mar 20, 2009 at 6:06 AM, tiggersWelt.net (Support)
<support@...> wrote:
> Hello Josep,
>
> it would be nice if you choose the right subject for your e-mails next
> time ;-)
>
> Your main-issue might be that you want to tunnel your connections to the
> maschine where the VPN-Server actually runs on. By default OpenVPN sets
> a host-route to this maschine because it has to communicate with the
> VPN-Server over the "normal" link and therefore it must not be routed
> through the tun/tap-device of OpenVPN.
>
> This issue can only be solved on the client. On linux I would suggest
> using iptables and iproute2 and set up a second routing-table, but on
> Windows I don't know if it is possible at all - but the technique
> remains the same: Route connections on port 1194 to "mylinuxbox.com"
> over the normal interface and everything else over the tun/tap-device of
> the VPN-Connection.
>
>
> Kind regards,
>
> Bernd
>
> mylists@... schrieb:
>> Hi!
>>
>> I am configuring openvpn with a linux box on the server side and a vista
>> laptop on client side. I'd like to route al traffic through the VPN using
>> the redirect-gateway configuration but I do not get it. How can I do to
>> really enorce ALL traffic through the tunnel?
>>
>> So if I try a tracert from the client laptop to any destintion I get
>> everything through the VPN:
>> C:\Users\pep>tracert google.com
>>
>> Tracing route to google.com [74.125.45.100]
>> over a maximum of 30 hops:
>>
>>   1   178 ms   548 ms   518 ms  mylinuxbox.com [10.20.30.1]
>>   2   925 ms   362 ms   273 ms  192.168.254.254
>>   3     *        *      295 ms  bzn-6k-5-v201.routers.proxad.net
>> [212.27.55.126]
>>
>>   4     *     2970 ms   281 ms  bzn-crs16-1-be1200.intf.routers.proxad.net
>> [212.
>> 27.57.126]
>>   5   315 ms     *      349 ms  cbv-6k-1-po20.intf.routers.proxad.net
>> [212.27.50
>> .190]
>>   6   249 ms   270 ms  1051 ms  74.125.50.117
>>   7   273 ms   353 ms   286 ms  209.85.251.40
>>   8   359 ms   366 ms   404 ms  72.14.236.220
>>   9   404 ms   817 ms   352 ms  72.14.239.85
>>  10   393 ms   367 ms   369 ms  72.14.239.49
>>  11   471 ms   361 ms   372 ms  72.14.232.215
>>  12   494 ms   451 ms   450 ms  209.85.253.133
>>  13   348 ms     *     2970 ms  yx-in-f100.google.com [74.125.45.100]
>>
>> Trace complete.
>>
>> But if I try to tracert my own linux box the rout goes off the tunnel, see:
>> C:\Users\pep>tracert montblanc.homeip.net
>>
>> Tracing route to mylinuxbox.com [xxx.xxx.xxx.xxx]
>> over a maximum of 30 hops:
>>
>>   1     3 ms     2 ms     2 ms  192.168.1.1
>>   2    42 ms    42 ms    43 ms  192.168.153.1
>>   3    42 ms    43 ms    44 ms  49.Red-80-58-117.staticIP.rima-tde.net
>> [80.58.117.49]
>>   4     *       43 ms    43 ms
>> So-5-0-0-0-grtbcntb1.red.telefonica-wholesale.net [84.16.9.241]
>>   5    64 ms    64 ms    65 ms
>> So5-3-0-0-grtparix3.red.telefonica-wholesale.net [84.16.12.134]
>>   6    91 ms    79 ms    78 ms
>> proxad-2-0-0-grtparix3.red.telefonica-wholesale.net [213.140.52.78]
>>   7    68 ms    65 ms    64 ms  th2-crs16-1-be1007.intf.routers.proxad.net
>> [212.27.50.137]
>>   8    68 ms     *       69 ms  bzn-6k-5-po6.intf.routers.proxad.net
>> [212.27.50.194]
>>   9    61 ms    63 ms    64 ms  lns-bzn-48.routers.proxad.net [212.27.55.78]
>>  10     *        *      155 ms  mylinuxbox.com [xxx.xxx.xxx.xxx]
>>
>> Trace complete.
>>
>>
>>
>> Bellow are my configuratins
>>
>> Server side configuration:
>>
>> port 245
>> proto tcp
>> dev tun
>> ca /etc/openvpn/easy-rsa/keys/ca.crt
>> cert /etc/openvpn/easy-rsa/keys/server.crt
>> key /etc/openvpn/easy-rsa/keys/server.key
>> dh /etc/openvpn/easy-rsa/keys/dh1024.pem
>> server 10.20.30.0 255.255.255.0
>> push "redirect-gateway def1"
>> push "ip-win32 dynamic"
>> push "dhcp-option DNS 10.20.30.1"
>> push "dhcp-option DOMAIN mylinuxbox.com";
>> push "dhcp-option WINS 10.20.30.1"
>> client-to-client
>> keepalive 10 120
>> comp-lzo
>> user nobody
>> group nogroup
>> persist-key
>> persist-tun
>> status openvpn-status.log
>> verb 3
>>
>>
>> Client side configuration:
>>
>> client
>> dev tun
>> proto tcp
>> remote mylinuxbox.com 2222
>> resolv-retry infinite
>> nobind
>> persist-key
>> persist-tun
>> ca "D:\\Program Files\\OpenVPN\\keys\\ca.crt"
>> cert "D:\\Program Files\\OpenVPN\\keys\\peak.crt"
>> key "D:\\Program Files\\OpenVPN\\keys\\peak.key"
>> comp-lzo
>> verb 3
>>
>>
>> Thanks in advance for your advice guys!
>> Josep Serrano.
>
> --
>    \\\||///
>  \\  - -  //
>   (  @ @  )
> -oOo--( )--oOo-------------------------------------------------------
>  Firma Bernd Holzmüller                          www.tiggersWelt.net
>                                                info@...
>  Mönchstrasse 25                             Tel: 07 11 / 550 425-90
>  70191 Stuttgart                             Fax: 07 11 / 550 425-99
>  Deutschland/Germany                       OpenPGP/GnuPG: 0xDF553B9F
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Hi Bernd

Sorry about missing the subject. Sometimes your brain goes faster tan your
fingers typing and you miss some word, some subject, and worst than that
:-)

Back to the subject. Thank you for your response. That was clear and logic.
Tell me if that makes any sense.

I will do some search about how to handle this redirection with Vista. I
am really out of my domain here :-) Perhaps somebody in the list already
has gne through it?

Thanks,
Josep Serrano.


> Hello Josep,
>
> it would be nice if you choose the right subject for your e-mails next
> time ;-)
>
> Your main-issue might be that you want to tunnel your connections to the
> maschine where the VPN-Server actually runs on. By default OpenVPN sets
> a host-route to this maschine because it has to communicate with the
> VPN-Server over the "normal" link and therefore it must not be routed
> through the tun/tap-device of OpenVPN.
>
> This issue can only be solved on the client. On linux I would suggest
> using iptables and iproute2 and set up a second routing-table, but on
> Windows I don't know if it is possible at all - but the technique
> remains the same: Route connections on port 1194 to "mylinuxbox.com"
> over the normal interface and everything else over the tun/tap-device of
> the VPN-Connection.
>
>
> Kind regards,
>
> Bernd
>
> mylists@... schrieb:
>> Hi!
>>
>> I am configuring openvpn with a linux box on the server side and a vista
>> laptop on client side. I'd like to route al traffic through the VPN
>> using
>> the redirect-gateway configuration but I do not get it. How can I do to
>> really enorce ALL traffic through the tunnel?
>>
>> So if I try a tracert from the client laptop to any destintion I get
>> everything through the VPN:
>> C:\Users\pep>tracert google.com
>>
>> Tracing route to google.com [74.125.45.100]
>> over a maximum of 30 hops:
>>
>>   1   178 ms   548 ms   518 ms  mylinuxbox.com [10.20.30.1]
>>   2   925 ms   362 ms   273 ms  192.168.254.254
>>   3     *        *      295 ms  bzn-6k-5-v201.routers.proxad.net
>> [212.27.55.126]
>>
>>   4     *     2970 ms   281 ms
>> bzn-crs16-1-be1200.intf.routers.proxad.net
>> [212.
>> 27.57.126]
>>   5   315 ms     *      349 ms  cbv-6k-1-po20.intf.routers.proxad.net
>> [212.27.50
>> .190]
>>   6   249 ms   270 ms  1051 ms  74.125.50.117
>>   7   273 ms   353 ms   286 ms  209.85.251.40
>>   8   359 ms   366 ms   404 ms  72.14.236.220
>>   9   404 ms   817 ms   352 ms  72.14.239.85
>>  10   393 ms   367 ms   369 ms  72.14.239.49
>>  11   471 ms   361 ms   372 ms  72.14.232.215
>>  12   494 ms   451 ms   450 ms  209.85.253.133
>>  13   348 ms     *     2970 ms  yx-in-f100.google.com [74.125.45.100]
>>
>> Trace complete.
>>
>> But if I try to tracert my own linux box the rout goes off the tunnel,
>> see:
>> C:\Users\pep>tracert montblanc.homeip.net
>>
>> Tracing route to mylinuxbox.com [xxx.xxx.xxx.xxx]
>> over a maximum of 30 hops:
>>
>>   1     3 ms     2 ms     2 ms  192.168.1.1
>>   2    42 ms    42 ms    43 ms  192.168.153.1
>>   3    42 ms    43 ms    44 ms  49.Red-80-58-117.staticIP.rima-tde.net
>> [80.58.117.49]
>>   4     *       43 ms    43 ms
>> So-5-0-0-0-grtbcntb1.red.telefonica-wholesale.net [84.16.9.241]
>>   5    64 ms    64 ms    65 ms
>> So5-3-0-0-grtparix3.red.telefonica-wholesale.net [84.16.12.134]
>>   6    91 ms    79 ms    78 ms
>> proxad-2-0-0-grtparix3.red.telefonica-wholesale.net [213.140.52.78]
>>   7    68 ms    65 ms    64 ms
>> th2-crs16-1-be1007.intf.routers.proxad.net
>> [212.27.50.137]
>>   8    68 ms     *       69 ms  bzn-6k-5-po6.intf.routers.proxad.net
>> [212.27.50.194]
>>   9    61 ms    63 ms    64 ms  lns-bzn-48.routers.proxad.net
>> [212.27.55.78]
>>  10     *        *      155 ms  mylinuxbox.com [xxx.xxx.xxx.xxx]
>>
>> Trace complete.
>>
>>
>>
>> Bellow are my configuratins
>>
>> Server side configuration:
>>
>> port 245
>> proto tcp
>> dev tun
>> ca /etc/openvpn/easy-rsa/keys/ca.crt
>> cert /etc/openvpn/easy-rsa/keys/server.crt
>> key /etc/openvpn/easy-rsa/keys/server.key
>> dh /etc/openvpn/easy-rsa/keys/dh1024.pem
>> server 10.20.30.0 255.255.255.0
>> push "redirect-gateway def1"
>> push "ip-win32 dynamic"
>> push "dhcp-option DNS 10.20.30.1"
>> push "dhcp-option DOMAIN mylinuxbox.com";
>> push "dhcp-option WINS 10.20.30.1"
>> client-to-client
>> keepalive 10 120
>> comp-lzo
>> user nobody
>> group nogroup
>> persist-key
>> persist-tun
>> status openvpn-status.log
>> verb 3
>>
>>
>> Client side configuration:
>>
>> client
>> dev tun
>> proto tcp
>> remote mylinuxbox.com 2222
>> resolv-retry infinite
>> nobind
>> persist-key
>> persist-tun
>> ca "D:\\Program Files\\OpenVPN\\keys\\ca.crt"
>> cert "D:\\Program Files\\OpenVPN\\keys\\peak.crt"
>> key "D:\\Program Files\\OpenVPN\\keys\\peak.key"
>> comp-lzo
>> verb 3
>>
>>
>> Thanks in advance for your advice guys!
>> Josep Serrano.
>
> --
>     \\\||///
>   \\  - -  //
>    (  @ @  )
> -oOo--( )--oOo-------------------------------------------------------
>  Firma Bernd Holzmüller                          http://www.tiggersWelt.net
>                                                 info@...
>  Mönchstrasse 25                             Tel: 07 11 / 550 425-90
>  70191 Stuttgart                             Fax: 07 11 / 550 425-99
>  Deutschland/Germany                       OpenPGP/GnuPG: 0xDF553B9F
>

Can Openvpn-as be configure to accept logins from people within a certain group??




________________________________


Doug Hall
IT Operations Manager
Dir
Fax
Mobile
Email

+44 (0)1179 303 420
+44 (0)1179 259 954
+44 (0)7966 343 084
dhall@...>





Committed 2 Communications Ltd
7th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK




General
Web

+44 (0)1179 303 450
http://www.com2com.com<http://www.com2com.com/>




________________________________
NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK company offering specialist services to the charity sector in telephone fundraising, as well as recruitment, donor relationship management, direct debit and BACs Bureau services - to name a few. For more information visit http://www.nttfundraising.co.uk.

Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not an addressee, any disclosure or copying of the contents of this e-mail or any action taken (or not taken) in reliance on it is unauthorised and may be unlawful. If you are not an addressee, please inform the sender immediately. You should carry out your own virus checks before opening any attachment.

Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT, United Kingdom

Registered In England, Registered Trading Number: 06458746

:) Sorry to be dim, but you might as well have been meowing at me..
I wanted to use LDAP, but if there's a better way, then I'm all ears..

From: David [mailto:admin@...]
Sent: 17 June 2009 12:55
To: Doug Hall
Cc: openvpn-users@...
Subject: Re: [Openvpn-users] (no subject)

if you're using pam authentication you can insert pam_listfile into the pam stack.


On Wed, Jun 17, 2009 at 12:52 PM, Doug Hall <DHall@...>> wrote:

Can Openvpn-as be configure to accept logins from people within a certain group??









________________________________


Doug Hall
IT Operations Manager

Dir
Fax

Mobile
Email


+44 (0)1179 303 420
+44 (0)1179 259 954

+44 (0)7966 343 084
dhall@...>








Committed 2 Communications Ltd
7th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK







General
Web


+44 (0)1179 303 450
http://www.com2com.com<http://www.com2com.com/>






________________________________
NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK company offering specialist services to the charity sector in telephone fundraising, as well as recruitment, donor relationship management, direct debit and BACs Bureau services - to name a few. For more information visit http://www.nttfundraising.co.uk<http://www.nttfundraising.co.uk>.

Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not an addressee, any disclosure or copying of the contents of this e-mail or any action taken (or not taken) in reliance on it is unauthorised and may be unlawful. If you are not an addressee, please inform the sender immediately. You should carry out your own virus checks before opening any attachment.

Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT, United Kingdom

Registered In England, Registered Trading Number: 06458746

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Openvpn-users mailing list
Openvpn-users@...>
https://lists.sourceforge.net/lists/listinfo/openvpn-users


________________________________
NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK company offering specialist services to the charity sector in telephone fundraising, as well as recruitment, donor relationship management, direct debit and BACs Bureau services - to name a few. For more information visit http://www.nttfundraising.co.uk.

Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not an addressee, any disclosure or copying of the contents of this e-mail or any action taken (or not taken) in reliance on it is unauthorised and may be unlawful. If you are not an addressee, please inform the sender immediately. You should carry out your own virus checks before opening any attachment.

Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT, United Kingdom

Registered In England, Registered Trading Number: 06458746

A certain group of what? Where is the group defined?

Do you have a custom authentication program or script?

Best regards,

Richard K. Szabo
Software Developer and Industrial PC-Technician
 http://www.netsunited.com | http://www.capax.se


Doug Hall wrote:
> Can Openvpn-as be configure to accept logins from people within a certain group??
> 
> 
> 
> 
> ________________________________
> 
> 
> Doug Hall
> IT Operations Manager
> Dir
> Fax
> Mobile
> Email
> 
> +44 (0)1179 303 420
> +44 (0)1179 259 954
> +44 (0)7966 343 084
> dhall@...>
> 
> 
> 
> 
> 
> Committed 2 Communications Ltd
> 7th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK
> 
> 
> 
> 
> General
> Web
> 
> +44 (0)1179 303 450
> http://www.com2com.com<http://www.com2com.com/>
> 
> 
> 
> 
> ________________________________
> NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK company offering specialist services to the charity sector in telephone fundraising, as well as recruitment, donor relationship management, direct debit and BACs Bureau services - to name a few. For more information visit http://www.nttfundraising.co.uk.
> 
> Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not an addressee, any disclosure or copying of the contents of this e-mail or any action taken (or not taken) in reliance on it is unauthorised and may be unlawful. If you are not an addressee, please inform the sender immediately. You should carry out your own virus checks before opening any attachment.
> 
> Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT, United Kingdom
> 
> Registered In England, Registered Trading Number: 06458746
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing 
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

if you're using pam authentication you can insert pam_listfile into the pam
stack.


On Wed, Jun 17, 2009 at 12:52 PM, Doug Hall <DHall@...> wrote:

>  Can Openvpn-as be configure to accept logins from people within a certain
> group??
>
>
>
>
>
>
>
>
>  ------------------------------
>
>
>
> *Doug Hall *
> IT Operations Manager
>
> *Dir **
> **Fax *
>
> *Mobile**
> **Email** *
>
> +44 (0)1179 303 420
> +44 (0)1179 259 954
>
> +44 (0)7966 343 084
> dhall@...
>
>
>
>
>
> *Committed 2 Communications Ltd** *
> 7th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK
>
>
>
>
>
> *General **
> **Web *
>
> +44 (0)1179 303 450
> http://www.com2com.com
>
>
>
>
>
> ------------------------------
> NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK
> company offering specialist services to the charity sector in telephone
> fundraising, as well as recruitment, donor relationship management, direct
> debit and BACs Bureau services - to name a few. For more information visit
> http://www.nttfundraising.co.uk.
>
> Unless expressly stated otherwise, this message is confidential and may be
> privileged. It is intended for the addressee(s) only. Access to this e-mail
> by anyone else is unauthorised. If you are not an addressee, any disclosure
> or copying of the contents of this e-mail or any action taken (or not taken)
> in reliance on it is unauthorised and may be unlawful. If you are not an
> addressee, please inform the sender immediately. You should carry out your
> own virus checks before opening any attachment.
>
> Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT,
> United Kingdom
>
> Registered In England, Registered Trading Number: 06458746
>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>

hello

please stop sendding mails on this id

2009/12/5 saif khan <saifkhans101@...>:
> please stop sendding mails on this id
>
If you dont want to receive mails on this address, rtfm and unsubscribe.

Can I ask, as it's 3+ years since the release of 2.0.9, why 2.1 does not have an actual stable release, rather than being at rc22?

________________________________________________________________________
THE DRIVING FORCE BEHIND FREIGHT MANAGEMENT
________________________________________________________________________
This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this email in 
error please notify hostmaster@...

This e-mail has been scanned for all viruses by Messagelabs.

All business is conducted subject to BIFA Standard Trading conditions, latest edition, a copy of which is available upon request or can be viewed on our website http://www.sbsworldwide.com/legals 
All rates are subject to fluctuation.

SBS Worldwide Ltd registered in England No: 1739816

Registered Office: SBS Cargo Centre, Anchor Boulevard, Crossways, Dartford, Kent DA2 6SB
________________________________________________________________________

Hello Tyrone,

> Can I ask, as it's 3+ years since the release of 2.0.9, why 2.1
> does not have an actual stable release, rather than being at rc22?

Everybody asks this question.
James didn't understand software release life cycle[1] at all!
OpenVPN is not suitable for business use :-(

On 20 May 2009 he stated:
We are very close to 2.1.  I know there's been some discussion about the
Windows client GUI, whether it deserves to live in 2.1.  We do have a 
new client GUI that we've developed as a part of our Access Server 
product and we are open to releasing it with 2.1, however doing so would 
probably add more RC cycles to the 2.1 release.

The other option is to just release what we have now, pending a week or 
so of testing on rc16, and get the new Windows client GUI into a 
post-2.1 release.


After RC16 much new features are included ...

greetings
Carsten

[1] https://secure.wikimedia.org/wikipedia/en/wiki/Software_release_life_cycle

Hi all

I am trying to use the shaper command but I receive the following on my Linux Server:

--shaper cannot be used with --mode server

Is there any workaround?

Thanks


________________________________________________________________________
THE DRIVING FORCE BEHIND FREIGHT MANAGEMENT
________________________________________________________________________
This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this email in 
error please notify hostmaster@...

This e-mail has been scanned for all viruses by Messagelabs.

All business is conducted subject to BIFA Standard Trading conditions, latest edition, a copy of which is available upon request or can be viewed on our website http://www.sbsworldwide.com/legals 
All rates are subject to fluctuation.

SBS Worldwide Ltd registered in England No: 1739816

Registered Office: SBS Cargo Centre, Anchor Boulevard, Crossways, Dartford, Kent DA2 6SB
________________________________________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/09 16:01, Carsten Krüger wrote:
> Hello Tyrone,
> 
>> Can I ask, as it's 3+ years since the release of 2.0.9, why 2.1
>> does not have an actual stable release, rather than being at rc22?
> 
> Everybody asks this question.
> James didn't understand software release life cycle[1] at all!
> OpenVPN is not suitable for business use :-(

Even though, I can agree that it has been a rather odd routine (if it
can be called a routine) for a release cycle, I find it a bit too strong
claiming OpenVPN is not suitable for business use.

Any product which will be used in business settings will need to go some
form of acceptance testing.  The testing requirements and expectations
will be different from user to user.  Such testing should not be based
on if a product is defined as "stable" from the developers of the
product, rather if it works stable in the setup needed for an acceptance
test.

Some users will then find out that a release candidate works better and
is more stable for them, then what a release defined as "stable" by the
developers.

Having that said, I do agree that the release candidate cycles have been
rather long for OpenVPN.  But that *do not* mean that the OpenVPN 2.1
RC22 is unstable for the majority of users.  Debian, Ubuntu, Red Hat
Enterprise Linux, Fedora, CentOS provides OpenVPN 2.1 RC candidates as
their stable releases.  I believe there are some discussions in Gentoo
to move the RC candidate over to stable.  That is the majority of Linux
distributions.  Slackware and openSuSE still seems to ship 2.0.9 as the
stable version, afaik.

I have personally run OpenVPN in production from 2.1_rc15 and up to
rc21, without any issues on any of these.  And I do know a lot of other
users do something similar.

> On 20 May 2009 he stated:
> We are very close to 2.1.  I know there's been some discussion about the
> Windows client GUI, whether it deserves to live in 2.1.  We do have a 
> new client GUI that we've developed as a part of our Access Server 
> product and we are open to releasing it with 2.1, however doing so would 
> probably add more RC cycles to the 2.1 release.
> 
> The other option is to just release what we have now, pending a week or 
> so of testing on rc16, and get the new Windows client GUI into a 
> post-2.1 release.
> 
> 
> After RC16 much new features are included ...

I have gone through the changelog [2] from rc16 up to rc22, and I must
say I'm surprised you say that "much new features are included".  There
are a few ones, yes.  But to call it many is a bit exaggerating.


Here is an summarized extract of the changelog:
- ----------------------------------------------------------------------
rc16: Windows installer changes, read config file from stdin, management
interface via unix domain sockets, added "nogw" support to
- --server-bridge, "pid" command to the management interface, new
"daemon_start_time" and "daemon_pid" environmental variables, build fixes.

rc17: Changed misc debug levels, fixed race condition in management
interface, increased management interface command buffer size, Windows
build fixes, added "redirect-private" option, added "autolocal" redirect
flag for Windows, increased TLS_CHANNEL_BUF_SIZE, fixed symbol conflicts
in Windows CryptoAPI, fixed bug when 'local' option is used.

rc18: build fix (--enable-small), fixed build problem on Windows

rc19: Windows TAP driver fixes, compat fixes for building with older
autoconf

rc20: Fixed bug with --redirect-gateway option changes from rc17.  Fixed
several build and ./configure tweaks (to enable/disable features in
compile time), fixed proper SELinux implementation, improved connection
init performance, made maximum number of "route" definitions
configurable, removed limitation of parameters being pushed to clients,
added --server-poll-timeout option, added AUTH_FAILED reason message to
clients, added client-kill command to management interface, added
- --remote-random-hostname option.

rc21: Hardened session renegotiation

rc22: Fixed Windows bug connected to dhcp-pre-release or dhcp-renew
options where used in combination with route-gateway dhcp.  Changed from
warning to failure if more that 16 certificates were found in the
certificate chain.
- ----------------------------------------------------------------------

- From this list, there is quite few new features which touches the VPN
and networking part (--server-bridge nogw, --redirect-private and
"autolocal", push route amount configurable, --remote-random-hostname).

It's been some more new features connected to the management interface,
which after all is a brand new feature in OpenVPN 2.1 (pid, AUTH_FAILED
reason message, client-kill).

The rest is basically build and bug fixes, mostly on the Windows
platform.  In addition, there's been done some improvements connected to
compile time configurations, which basically enables and disables
features and improvements connected to performance and security.

I honestly struggle to see "much new features" here.  Yes, there are
many changes, but not many features.  But I do see that some of these
new features which has been introduced mostly is connected to the
OpenVPN Access Server product James is also working on.  Except for
that, the rest is usually things which is normally found during a test
period.  And instead of releasing a 2.1 premature, which will would
require several fixes shortly afterwords, a longer RC period has been
preferred.

If the 2.1_rc16 release would be the final 2.1 version, we would by now
(in about 5 months) have reaced 2.1.6.  Does that sounds like a good
candidate for final release?  On the other hand, rc15 was living for
about 6 months before rc16 came, which probably was a really strong
candidate for a final 2.1 release.  Until the issues found between rc16
and rc22 surfaced.  I trust and believe James tries to reach a stage
where the RC candidate will be as solid as rc15 once was.

There has to be reasons why James is reluctant to finalise the 2.1
release.  I just wish the process of that decision would be much more
transparent to the community.  Maybe then, the community would
understand the situation better, or could maybe even help out better
with solving the last unsolved issues.

Anyway, in all projects it is important to draw a line and just say
"this is the final version".  And I do hope we are here soon now with
OpenVPN.  But a premature release which leads to a lot of quick patch
releases will only harm the quite good reputation OpenVPN do have, when
it comes to stability.


kind regards,

David Sommerseth



[2]
<http://www.openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html>

> [1] https://secure.wikimedia.org/wikipedia/en/wiki/Software_release_life_cycle
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAksamowACgkQDC186MBRfrq7cgCglBww4M1sT+l4YeZQnkVsMRFa
cTQAniXV0h0BqMoxRyzbbCqRP7/Juo/5
=Bxwf
-----END PGP SIGNATURE-----

As a matter of fact, I can only say this is the most stable and predictable
VPN software I've ever used in the last three years. In this exact
millisecond OpenVPN is connecting 300 sites, around 2000 users, to our
enterprise core: the hard work is only for our firewall guys. I don't mind
the RC status.

And yes... the Windows GUI can be improved for those die-hard roadwarriors.

Great work, James & Co.


2009/12/5 Tyrone Omidi <tyrone.omidi@...>

>  Can I ask, as it’s 3+ years since the release of 2.0.9, why 2.1 does not
> have an actual stable release, rather than being at rc22?
>
>

Carsten Krüger wrote:

> After RC16 much new features are included ...

And 3 line bugfixes for reported problem(s) were not...

Well, you can always build your own fork, I guess.

Regards,
David

Hi,

Tyrone Omidi wrote:
> Hi all
>
> I am trying to use the shaper command but I receive the following on my Linux Server:
>
> --shaper cannot be used with --mode server
>
> Is there any workaround?
>
>
>   
what are you trying to achieve? the
  --shaper
directive is for shaping client traffic only; openvpn implicitly assumes 
that the server instance of openvpn will get the full bandwidth of the 
server itself. If you wish to limit that I'd suggest to use iproute2 
traffic shaping (see http://larts.org)

HTH,

JJK

On Mon, Dec 07, 2009 at 12:31:49PM +0100, Jan Just Keijser wrote:
> If you wish to limit that I'd suggest to use iproute2 
> traffic shaping (see http://larts.org)

ITYM http://lartc.org/ ?
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

/dev/rob0 wrote:
> On Mon, Dec 07, 2009 at 12:31:49PM +0100, Jan Just Keijser wrote:
>   
>> If you wish to limit that I'd suggest to use iproute2 
>> traffic shaping (see http://larts.org)
>>     
>
> ITYM http://lartc.org/ ?
>   
YID ;-)
(Yes I Did)

I am looking for a way to build custom Windows installation packages for
OpenVPN 2.1.1 so I can include certificates and configurations.  I have
done this once before for 2.0.9 with the help of the install sources
from openvpn.se, but these install sources do not seem to be regularly
updated.  

I have tried to hack something together a couple of times where I would
to update the latest install source available on openvpn.se, 2.1rc7,
with the files extracted from 2.1.1.  I have not had any luck down that
path, hence my request for help.  

How can I create a custom Windows installer for OpenVPN 2.1.1?

I can't possibly be the only one out there trying to do this.  Any help
would be greatly appreciated.  


Thank you,
Corby

I am running linux, on the server and client.  I am using tap interface, and then the client requests a IP from the server.  I do it this way so that the IP space is used most efficiently.    The problem I have is that OpenVPN tires to add routes that the server side tells it to add but has a error adding the routes for some reason.  


"
Fri Mar 12 13:57:59 2010 /sbin/route add -net IP.of.Server netmask 255.255.255.255 gw 10.1.2.1
Fri Mar 12 13:57:59 2010 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Fri Mar 12 13:57:59 2010 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw IP.of.Router
SIOCADDRT: No such process
Fri Mar 12 13:57:59 2010 ERROR: Linux route add command failed: external program exited with error status: 7
"

more details below

---CLIENT---
remote ip.of.server portNO
client
dev tap
proto udp
resolv-retry 3
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
tls-auth ta.key 1
cipher aes-256-cbc
comp-lzo
verb 3
mute 20
tls-client
pull
auth-user-pass
ping 10
ping-exit 60
explicit-exit-notify 3
up  up
script-security 3


--SERVER---
remote 208.73.74.72 443

## VPN SERVER Above
local ip.of.server
port port.NO
#proto tcp-server
proto udp
mode server
tls-server
dev tap0
## Files
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
tls-auth        /etc/openvpn/keys/ta.key 0

server-bridge 
push "redirect-gateway"
push "route-gateway dhcp"
push "route-gateway ip.of.server"

max-routes-per-client 5000
ping 10
ping-exit 90
cipher aes-256-cbc
comp-lzo
max-clients     100
user openvpn
group openvpn
persist-key
persist-tun
status /etc/openvpn/status/server0 1   
mute 3
verb 4  # Leave on 3 in normal usage
plugin /usr/lib/openvpn/openvpn-auth-pam.so ovpn
client-config-dir /etc/openvpn/client-config/
client-cert-not-required
username-as-common-name
management 127.0.0.1  100
passtos
daemon



--CONNECTING LOG---
user@...$ sudo openvpn udp.ovpn 
Fri Mar 12 13:57:52 2010 OpenVPN 2.1_rc19 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
Enter Auth Username:bab
Enter Auth Password:
Fri Mar 12 13:57:55 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 12 13:57:55 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Mar 12 13:57:55 2010 WARNING: file 'ta.key' is group or others accessible
Fri Mar 12 13:57:55 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Mar 12 13:57:55 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 12 13:57:55 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 12 13:57:55 2010 LZO compression initialized
Fri Mar 12 13:57:55 2010 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Mar 12 13:57:55 2010 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Mar 12 13:57:55 2010 Local Options hash (VER=V4): '48527533'
Fri Mar 12 13:57:55 2010 Expected Remote Options hash (VER=V4): '44bd8b5e'
Fri Mar 12 13:57:55 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Fri Mar 12 13:57:55 2010 UDPv4 link local: [undef]
Fri Mar 12 13:57:55 2010 UDPv4 link remote: 208.73.74.72:443
Fri Mar 12 13:57:55 2010 TLS: Initial packet from 208.73.74.72:443, sid=df34c10e c858687b
Fri Mar 12 13:57:55 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 12 13:57:55 2010 VERIFY OK: depth=0, santtized
Fri Mar 12 13:57:55 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Mar 12 13:57:55 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 12 13:57:55 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Mar 12 13:57:55 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 12 13:57:55 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 3072 bit RSA
Fri Mar 12 13:57:55 2010 [server] Peer Connection Initiated with IP.of.Server:1194
Fri Mar 12 13:57:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Mar 12 13:57:56 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route-gateway IP.of.Gateway,route-gateway dhcp'
Fri Mar 12 13:57:56 2010 OPTIONS IMPORT: route options modified
Fri Mar 12 13:57:56 2010 OPTIONS IMPORT: route-related options modified
Fri Mar 12 13:57:56 2010 ROUTE default_gateway=10.1.2.1
Fri Mar 12 13:57:56 2010 TUN/TAP device tap0 opened
Fri Mar 12 13:57:56 2010 TUN/TAP TX queue length set to 100
Fri Mar 12 13:57:56 2010 up tap0 1500 1590   init
There is already a pid file /var/run/dhclient.tap0.pid with pid 21192
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/



Listening on LPF/tap0/00:ff:12:34:56:78
Sending on   LPF/tap0/00:ff:12:34:56:78
Sending on   Socket/fallback

Fri Mar 12 13:57:59 2010 /sbin/route add -net IP.of.Server netmask 255.255.255.255 gw 10.1.2.1
Fri Mar 12 13:57:59 2010 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Fri Mar 12 13:57:59 2010 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw IP.of.Router
SIOCADDRT: No such process
Fri Mar 12 13:57:59 2010 ERROR: Linux route add command failed: external program exited with error status: 7
Fri Mar 12 13:57:59 2010 Initialization Sequence Completed

____________________________________________________________
Weight Loss Program
Best Weight Loss Program - Click Here!
http://thirdpartyoffers.netzero.net/TGL2231/c?cp=y4keEHJT1UyiUWxDqZDTuQAAJz6qIM1XPRjhvwYbecbFywiZAAYAAAAAAAAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAEUgAAAAA=

On 12.Mar.2010, at 21:16, bryon3245@... wrote:

> I am running linux, on the server and client.  I am using tap interface, and then the client requests a IP from the server.  I do it this way so that the IP space is used most efficiently.    The problem I have is that OpenVPN tires to add routes that the server side tells it to add but has a error adding the routes for some reason.  
> 

This might be of some help if I only get you right.

http://hans.fugal.net/blog/2009/01/06/putting-openvpn-in-its-place/

Ivars
-- --
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is over-sized for optimal containment efficiency.

> 
> "
> Fri Mar 12 13:57:59 2010 /sbin/route add -net IP.of.Server netmask 255.255.255.255 gw 10.1.2.1
> Fri Mar 12 13:57:59 2010 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
> Fri Mar 12 13:57:59 2010 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw IP.of.Router
> SIOCADDRT: No such process
> Fri Mar 12 13:57:59 2010 ERROR: Linux route add command failed: external program exited with error status: 7
> "
> 
> more details below
> 
> ---CLIENT---
> remote ip.of.server portNO
> client
> dev tap
> proto udp
> resolv-retry 3
> nobind
> persist-key
> persist-tun
> mute-replay-warnings
> ca ca.crt
> tls-auth ta.key 1
> cipher aes-256-cbc
> comp-lzo
> verb 3
> mute 20
> tls-client
> pull
> auth-user-pass
> ping 10
> ping-exit 60
> explicit-exit-notify 3
> up  up
> script-security 3
> 
> 
> --SERVER---
> remote 208.73.74.72 443
> 
> ## VPN SERVER Above
> local ip.of.server
> port port.NO
> #proto tcp-server
> proto udp
> mode server
> tls-server
> dev tap0
> ## Files
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> key /etc/openvpn/keys/server.key  # This file should be kept secret
> dh /etc/openvpn/keys/dh2048.pem
> tls-auth        /etc/openvpn/keys/ta.key 0
> 
> server-bridge 
> push "redirect-gateway"
> push "route-gateway dhcp"
> push "route-gateway ip.of.server"
> 
> max-routes-per-client 5000
> ping 10
> ping-exit 90
> cipher aes-256-cbc
> comp-lzo
> max-clients     100
> user openvpn
> group openvpn
> persist-key
> persist-tun
> status /etc/openvpn/status/server0 1   
> mute 3
> verb 4  # Leave on 3 in normal usage
> plugin /usr/lib/openvpn/openvpn-auth-pam.so ovpn
> client-config-dir /etc/openvpn/client-config/
> client-cert-not-required
> username-as-common-name
> management 127.0.0.1  100
> passtos
> daemon
> 
> 
> 
> --CONNECTING LOG---
> user@...$ sudo openvpn udp.ovpn 
> Fri Mar 12 13:57:52 2010 OpenVPN 2.1_rc19 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
> Enter Auth Username:bab
> Enter Auth Password:
> Fri Mar 12 13:57:55 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
> Fri Mar 12 13:57:55 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
> Fri Mar 12 13:57:55 2010 WARNING: file 'ta.key' is group or others accessible
> Fri Mar 12 13:57:55 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
> Fri Mar 12 13:57:55 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Mar 12 13:57:55 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Mar 12 13:57:55 2010 LZO compression initialized
> Fri Mar 12 13:57:55 2010 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
> Fri Mar 12 13:57:55 2010 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
> Fri Mar 12 13:57:55 2010 Local Options hash (VER=V4): '48527533'
> Fri Mar 12 13:57:55 2010 Expected Remote Options hash (VER=V4): '44bd8b5e'
> Fri Mar 12 13:57:55 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
> Fri Mar 12 13:57:55 2010 UDPv4 link local: [undef]
> Fri Mar 12 13:57:55 2010 UDPv4 link remote: 208.73.74.72:443
> Fri Mar 12 13:57:55 2010 TLS: Initial packet from 208.73.74.72:443, sid=df34c10e c858687b
> Fri Mar 12 13:57:55 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
> Fri Mar 12 13:57:55 2010 VERIFY OK: depth=0, santtized
> Fri Mar 12 13:57:55 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
> Fri Mar 12 13:57:55 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Mar 12 13:57:55 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
> Fri Mar 12 13:57:55 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Mar 12 13:57:55 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 3072 bit RSA
> Fri Mar 12 13:57:55 2010 [server] Peer Connection Initiated with IP.of.Server:1194
> Fri Mar 12 13:57:56 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
> Fri Mar 12 13:57:56 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route-gateway IP.of.Gateway,route-gateway dhcp'
> Fri Mar 12 13:57:56 2010 OPTIONS IMPORT: route options modified
> Fri Mar 12 13:57:56 2010 OPTIONS IMPORT: route-related options modified
> Fri Mar 12 13:57:56 2010 ROUTE default_gateway=10.1.2.1
> Fri Mar 12 13:57:56 2010 TUN/TAP device tap0 opened
> Fri Mar 12 13:57:56 2010 TUN/TAP TX queue length set to 100
> Fri Mar 12 13:57:56 2010 up tap0 1500 1590   init
> There is already a pid file /var/run/dhclient.tap0.pid with pid 21192
> killed old client process, removed PID file
> Internet Systems Consortium DHCP Client V3.1.2
> Copyright 2004-2008 Internet Systems Consortium.
> All rights reserved.
> For info, please visit http://www.isc.org/sw/dhcp/
> 
> 
> 
> Listening on LPF/tap0/00:ff:12:34:56:78
> Sending on   LPF/tap0/00:ff:12:34:56:78
> Sending on   Socket/fallback
> 
> Fri Mar 12 13:57:59 2010 /sbin/route add -net IP.of.Server netmask 255.255.255.255 gw 10.1.2.1
> Fri Mar 12 13:57:59 2010 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
> Fri Mar 12 13:57:59 2010 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw IP.of.Router
> SIOCADDRT: No such process
> Fri Mar 12 13:57:59 2010 ERROR: Linux route add command failed: external program exited with error status: 7
> Fri Mar 12 13:57:59 2010 Initialization Sequence Completed
> 
> ____________________________________________________________
> Weight Loss Program
> Best Weight Loss Program - Click Here!
> http://thirdpartyoffers.netzero.net/TGL2231/c?cp=y4keEHJT1UyiUWxDqZDTuQAAJz6qIM1XPRjhvwYbecbFywiZAAYAAAAAAAAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAEUgAAAAA=
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

-- 
With Best Wishes,
Saeed Asadi

If I want to block certain ports on my VPN server in iptables do I need to blovk them on the tun interfaces ie blovk a port on 10.0.8.x or does it need to be blcoked on the eth0 interface?

The interface you would specify in your firewall rules (regardless of
your platform) would be the one on which the connections you want to
prevent are coming in on.  If you want to prevent connections to the
server itself, you would refer to whatever interface your external
(so-called Real World) IP is assigned to.  If you want to control what
your VPN client systems can access, you would similarly block inbound
or forwarded connections as per the policy you want to enforce.

-Stephen
-- 
You know, I used to think it was awful that life was so unfair. Then I
thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe.

I need to perform classful shaping on traffic traveling across an openvpn
tunnel. From what I've read this cannot be done with TC b/c the original
packets are actually regenerated by openvpn when they are encrypted( and
hence would loose the mark set during traversal through iptables). One forum
post I read recommended setting up multiple tunnels between the source and
destination and directing different classes of traffic through different
tunnels and utilizing the "shaping n" directive to control the bandwidth.
While this solution seems plausible there is a lot of overhead in setting up
additional routes, iptables rules, etc. Has anyone come up with a way of
getting around this limitation or have any recommendations?

Thanks

Jesse

JCotton wrote:
> From what I've read this cannot be done with TC b/c the original 
> packets are actually regenerated by openvpn when they are encrypted( 
> and hence would loose the mark set

You can use the passtos option when using TC.

Doug


-- 
Ben Franklin quote:

"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

Openvpn-users Administrator 	    Authentication  
List Administrator Password:

ip addres windows mobile htc diamond2

tankyou.

i think you're supposed to google that, not post to this mailing 
list ...

     you're welcome !

Em 08/06/11 14:48, saeed.sifi escreveu:
> ip addres windows mobile htc diamond2
>
> tankyou.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@...
	My SPAMTRAP, do not email it

vpn ip addres htc windows mobile tankyou.

wondows mobile op addres

On Thu, Jul 7, 2011 at 16:05, saeed.sifi <saeed.sifi@...> wrote:
> wondows mobile op addres

You've asked that, or something similar, twice before. Maybe if you
were to try asking a complete question, in the context of this mailing
list, somebody may be able to help you. As it is, 4 word phrases
(they're not really questions) where 2 of the words are an unrelated
product name are unlikely to generate anything useful.

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

-- 
John lino jose M. Bacarro

this is my email address;

peacebacs@...

.Click this link and you will find something new and interesting for
yourself!  http://aberdeen.ab.funpic.de/p.g.php?lirSection=12hi5

Ocloo

One client gets this error for no apparent reason. Any ideas what could cause this?

Sun Jan 29 18:29:10 2012 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Sun Jan 29 18:29:10 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 29 18:29:10 2012 LZO compression initialized
Sun Jan 29 18:29:10 2012 UDPv4 link local: [undef]
Sun Jan 29 18:29:10 2012 UDPv4 link remote: xx.xxx.xxx.xx:1194
Sun Jan 29 18:29:14 2012 [server] Peer Connection Initiated with xx.xxx.xxx.xxx:1194
Sun Jan 29 18:29:17 2012 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{31B02813-7503-435B-92B2-2DFEEBEF475E}.tap
Sun Jan 29 18:29:17 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.214/255.255.255.252 on interface {31B02813-7503-435B-92B2-2DFEEBEF475E} [DHCP-serv: 10.8.0.213, lease-time: 31536000]
Sun Jan 29 18:29:17 2012 Successful ARP Flush on interface [58] {31B02813-7503-435B-92B2-2DFEEBEF475E}
Sun Jan 29 18:29:22 2012 Initialization Sequence Completed
Sun Jan 29 22:17:56 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #76381 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jan 29 22:17:56 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #76385 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Vpn android L2tp

hi!
http://www.horizonortho.ca/components/com_content/indexs.php?o9no1q=mbtw07










al bean

I get the following error from a client connecting to the VPN.
Any ideas on what causes this and how I can resolve it?
This is the only client that has the error and the server is not  
issuing 192.168.x.x as a route

Mon May 06 12:13:18 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2]  
[PKCS11] built on Dec 15 2011
Mon May 06 12:13:18 2013 NOTE: OpenVPN 2.1 requires '--script-security  
2' or higher to call user-defined scripts or executables
Mon May 06 12:13:18 2013 LZO compression initialized
Mon May 06 12:13:18 2013 UDPv4 link local: [undef]
Mon May 06 12:13:18 2013 UDPv4 link remote: 84.xxx.xxx.xx:1194
Mon May 06 12:13:19 2013 [ProxyPlayer.eu] Peer Connection Initiated  
with 84.246.227.39:1194
Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]  
opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP  
IP/netmask of 10.8.0.30/255.255.255.252 on interface  
{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D} [DHCP-serv: 10.8.0.29,  
lease-time: 31536000]
Mon May 06 12:13:22 2013 Successful ARP Flush on interface [20]  
{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}
Mon May 06 12:13:27 2013 Warning: route gateway is ambiguous:  
192.168.1.1 (2 matches)
  Correcto
Mon May 06 12:13:27 2013 Initialization Sequence Completed
Mon May 06 12:14:00 2013 Warning: route gateway is ambiguous:  
192.168.1.1 (2 matches)
  Correcto
Mon May 06 12:14:00 2013 SIGTERM[hard,] received, process exiting

It appears you're assigning VPN IPs in the same IP range as the local LAN.

-----
Eric F Crist



On May 8, 2013, at 10:21:59, forums@... wrote:

> I get the following error from a client connecting to the VPN.
> Any ideas on what causes this and how I can resolve it?
> This is the only client that has the error and the server is not  
> issuing 192.168.x.x as a route
> 
> Mon May 06 12:13:18 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2]  
> [PKCS11] built on Dec 15 2011
> Mon May 06 12:13:18 2013 NOTE: OpenVPN 2.1 requires '--script-security  
> 2' or higher to call user-defined scripts or executables
> Mon May 06 12:13:18 2013 LZO compression initialized
> Mon May 06 12:13:18 2013 UDPv4 link local: [undef]
> Mon May 06 12:13:18 2013 UDPv4 link remote: 84.xxx.xxx.xx:1194
> Mon May 06 12:13:19 2013 [ProxyPlayer.eu] Peer Connection Initiated  
> with 84.246.227.39:1194
> Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]  
> opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
> Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP  
> IP/netmask of 10.8.0.30/255.255.255.252 on interface  
> {9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D} [DHCP-serv: 10.8.0.29,  
> lease-time: 31536000]
> Mon May 06 12:13:22 2013 Successful ARP Flush on interface [20]  
> {9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}
> Mon May 06 12:13:27 2013 Warning: route gateway is ambiguous:  
> 192.168.1.1 (2 matches)
>  Correcto
> Mon May 06 12:13:27 2013 Initialization Sequence Completed
> Mon May 06 12:14:00 2013 Warning: route gateway is ambiguous:  
> 192.168.1.1 (2 matches)
>  Correcto
> Mon May 06 12:14:00 2013 SIGTERM[hard,] received, process exiting
> 
> 
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and 
> their applications. This 200-page book is written by three acclaimed 
> leaders in the field. The early access version is available now. 
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Hi
No, IPs are assigned in the 10.8.x.x range as in the log
10.8.0.30
Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]
opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP
IP/netmask of 10.8.0.30/255.255.255.252 on interface


Quoting Eric Crist <ecrist@...>:

> It appears you're assigning VPN IPs in the same IP range as the local LAN.
>
> -----
> Eric F Crist

"Warning: route gateway is ambiguous:
192.168.1.1 (2 matches)"

It seems that you already have that route on the client, maybe you're
client default GW route is "192.168.1.1"?



On Wed, May 8, 2013 at 5:09 PM, <forums@...> wrote:

> Hi
> No, IPs are assigned in the 10.8.x.x range as in the log
> 10.8.0.30
> Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]
> opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
> Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP
> IP/netmask of 10.8.0.30/255.255.255.252 on interface
>
>
> Quoting Eric Crist <ecrist@...>:
>
> > It appears you're assigning VPN IPs in the same IP range as the local
> LAN.
> >
> > -----
> > Eric F Crist
>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

But I do not specify that route!
Here is the server config:
local 84.xxx.xxx.xx
port 1194 #- port
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.8.0.0 255.255.255.0
;push "redirect-gateway def1"
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
;persist-tun
status openvpn-status_tcp.log
verb 3
log /var/log/openvpn_tcp.log
;tun-mtu 1500
;link-mtu 1500
;fragment 1400
;mssfix


Quoting Miguel Clara <miguelmclara@...>:

> "Warning: route gateway is ambiguous:
> 192.168.1.1 (2 matches)"
>
> It seems that you already have that route on the client, maybe you're
> client default GW route is "192.168.1.1"?
>

2013/5/8  <forums@...>:
> But I do not specify that route!
> Here is the server config:
> [...]
> client-config-dir /etc/openvpn/ccd
> [...]

Even in client-specific config file ?


-- 
Jonathan Leroy

What configs do you have in the ccd dir? ----> /etc/openvpn/ccd

What configs do you have in the ccd dir? ----> /etc/openvpn/ccd

> What configs do you have in the ccd dir? ----> /etc/openvpn/ccd
The ccd directory only has files to prevent access to certain certificates.
The is simply a file with the disable directive.
No oter configs.


>> server 10.8.0.0 255.255.255.0
>> push "route 10.8.0.0 255.255.255.0"
>
> Get rid of that route push, you'll already get one by default.
Ok, I'll do that but this shouldn't affect 192.168.x.x IPs?

> 2013/5/8  <forums@...>:
>> But I do not specify that route!
>> Here is the server config:
>> [...]
>> client-config-dir /etc/openvpn/ccd
>> [...]
>
> Even in client-specific config file ?
The client config file does not have IP address routings. I think  
think the server push should do this.

[sorry forgot the "reply all"

Hum.. If its not the server config pushing the route and its not in
the ccd, you're left with the client config....

This is the client.ovpn
client
ns-cert-type server
dev tun
proto udp
remote 84.xxx.xxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert xxxxx.crt
key xxxxx.key
comp-lzo
verb 1
fragment 1300
mssfix

Any chance a firewall might cause this type of routing duplicate IP error?


> [sorry forgot the "reply all"
>
> Hum.. If its not the server config pushing the route and its not in
> the ccd, you're left with the client config....
>

The firewall or some manual route is there certainly (do a route print
on cmd line and check), but OpenVPN is also trying to define that
route... which is why you get the error...

OpenVPN does that if you push that route in server config or push the
default gateway and this turns out to be the same subnet... or if you
client configs (ccd or the client it self) also define that route!

But according to the configs you posted (except ccd - I think you
didn't post those) nothing seems to be defining such route, at least
that's what the log you posted was showing!


On Fri, May 10, 2013 at 10:39 AM,  <forums@...> wrote:
> This is the client.ovpn
> client
> ns-cert-type server
> dev tun
> proto udp
> remote 84.xxx.xxx.xx 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca ca.crt
> cert xxxxx.crt
> key xxxxx.key
> comp-lzo
> verb 1
> fragment 1300
> mssfix
>
> Any chance a firewall might cause this type of routing duplicate IP error?
>
>
>
>> [sorry forgot the "reply all"
>>
>> Hum.. If its not the server config pushing the route and its not in
>> the ccd, you're left with the client config....
>>
>
>
>

Hi,

On Fri, May 10, 2013 at 09:39:23AM +0000, forums@... wrote:
> This is the client.ovpn

Please show a *log* with "verb 4".  That should make clear what's happening.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@...
fax: +49-89-35655025                        gert@...