Menu
▾
▴
astlinux-devel — The AstLinux development environment, compilation, etc
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
(41) |
Apr
(35) |
May
(18) |
Jun
(5) |
Jul
(4) |
Aug
(37) |
Sep
(9) |
Oct
(20) |
Nov
(50) |
Dec
(217) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(212) |
Feb
(76) |
Mar
(113) |
Apr
(88) |
May
(130) |
Jun
(54) |
Jul
(208) |
Aug
(223) |
Sep
(112) |
Oct
(63) |
Nov
(131) |
Dec
(103) |
| 2010 |
Jan
(247) |
Feb
(130) |
Mar
(43) |
Apr
(92) |
May
(40) |
Jun
(43) |
Jul
(43) |
Aug
(80) |
Sep
(44) |
Oct
(74) |
Nov
(21) |
Dec
(46) |
| 2011 |
Jan
(36) |
Feb
(11) |
Mar
(21) |
Apr
(33) |
May
(4) |
Jun
(12) |
Jul
(5) |
Aug
(20) |
Sep
|
Oct
(64) |
Nov
(26) |
Dec
(71) |
| 2012 |
Jan
(13) |
Feb
(24) |
Mar
(11) |
Apr
(2) |
May
(10) |
Jun
(5) |
Jul
(13) |
Aug
(7) |
Sep
(26) |
Oct
(22) |
Nov
(17) |
Dec
(16) |
| 2013 |
Jan
(6) |
Feb
(6) |
Mar
(6) |
Apr
(8) |
May
(20) |
Jun
|
Jul
(1) |
Aug
(4) |
Sep
(18) |
Oct
(3) |
Nov
(14) |
Dec
(33) |
| 2014 |
Jan
(26) |
Feb
(6) |
Mar
(69) |
Apr
(10) |
May
|
Jun
(8) |
Jul
(18) |
Aug
(22) |
Sep
(19) |
Oct
(17) |
Nov
|
Dec
(4) |
| 2015 |
Jan
(14) |
Feb
(18) |
Mar
|
Apr
|
May
(26) |
Jun
(8) |
Jul
(9) |
Aug
(10) |
Sep
(15) |
Oct
(2) |
Nov
(30) |
Dec
(33) |
| 2016 |
Jan
(1) |
Feb
(24) |
Mar
(19) |
Apr
(1) |
May
|
Jun
(3) |
Jul
(1) |
Aug
(1) |
Sep
(20) |
Oct
(5) |
Nov
(14) |
Dec
(4) |
| 2017 |
Jan
(15) |
Feb
(35) |
Mar
(10) |
Apr
(9) |
May
(14) |
Jun
(33) |
Jul
(1) |
Aug
(27) |
Sep
(7) |
Oct
|
Nov
(10) |
Dec
(15) |
| 2018 |
Jan
(29) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(11) |
Jun
|
Jul
(1) |
Aug
(8) |
Sep
(11) |
Oct
(22) |
Nov
(9) |
Dec
(13) |
| 2019 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(21) |
May
(34) |
Jun
(36) |
Jul
(18) |
Aug
(17) |
Sep
(19) |
Oct
(8) |
Nov
(3) |
Dec
|
| 2020 |
Jan
|
Feb
(4) |
Mar
(8) |
Apr
(29) |
May
(50) |
Jun
(8) |
Jul
(2) |
Aug
(10) |
Sep
(1) |
Oct
(7) |
Nov
(9) |
Dec
(19) |
| 2021 |
Jan
(2) |
Feb
(9) |
Mar
(6) |
Apr
(21) |
May
(13) |
Jun
(11) |
Jul
(2) |
Aug
(1) |
Sep
(3) |
Oct
(26) |
Nov
(2) |
Dec
(16) |
| 2022 |
Jan
(8) |
Feb
(7) |
Mar
(1) |
Apr
(13) |
May
(1) |
Jun
(4) |
Jul
(4) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
(2) |
Feb
(3) |
Mar
(16) |
Apr
|
May
(2) |
Jun
(1) |
Jul
(4) |
Aug
(13) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
|
| 2024 |
Jan
(3) |
Feb
(3) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(5) |
Aug
|
Sep
(1) |
Oct
|
Nov
(5) |
Dec
|
| 2025 |
Jan
(4) |
Feb
(2) |
Mar
|
Apr
(11) |
May
(1) |
Jun
(9) |
Jul
(18) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David K. <da...@ke...> - 2017-12-19 20:03:41
|
I had a sneaking suspicion that it might have something to do with IPV6. I am not able to work on this now as too much going on with work and home in the run up to Christmas. I was over a month back-level on astlnux and decided to run a build overnight to catch up with latest kernel and asterisk fixes, that is what turned up this problem. Thanks David On Tue, Dec 19, 2017 at 2:39 PM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > I think we can fix this with a patch, but not sure what is best yet ... > > The struct lan_addr_s.index previously was only defined with ENABLE_IPV6, > but now it is always defined. > > So in get_lan_for_peer() > https://github.com/miniupnp/miniupnp/blob/master/ > miniupnpd/upnputils.c#L107 > there still are a lot of ENABLE_IPV6 differences. > > I think we can come up with a surgical fix. Let me know if you beat me to > it. > > Lonnie > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > |
|
From: David K. <da...@ke...> - 2017-12-19 19:55:47
|
For reference, here is my .conf file... ## Auto generated file. Do not edit. ext_ifname=eth0 listening_ip=192.168.17.1/255.255.255.0 http_port=5000 enable_natpmp=yes enable_upnp=yes lease_file=/mnt/kd/upnp.leases bitrate_up=1000000 bitrate_down=15000000 secure_mode=yes min_lifetime=120 max_lifetime=86400 system_uptime=yes notify_interval=60 clean_ruleset_interval=600 uuid=b30041e7-8d39-4bc1-a554-8f6d1b51e50f serial=000001 friendly_name=AstLinux Router model_name=AstLinux Router model_description=astlinux-1.3-5e29e2 model_number=astlinux-1.3-5e29e2 allow 1024-65535 192.168.17.0/24 0-65535 deny 0-65535 0.0.0.0/0 0-65535 On Tue, Dec 19, 2017 at 1:12 PM, Michael Keuter <li...@mk...> wrote: > > > Am 19.12.2017 um 18:57 schrieb Lonnie Abelbeck < > li...@lo...>: > > > > David and Michael, > > > > Do you both have UPnP enabled alone or part of NAT-PMP/PCP ? > > > > It seems without UPnP the error does not occur. Such as with [ > NAT-PMP/PCP only ] . > > > > Lonnie > > I have enabled "NAT-PMP/PCP & UPnP" on "1st LAN" on my router. > > > On Dec 19, 2017, at 10:05 AM, David Kerr <Da...@Ke...> wrote: > > > >> Since miniupnpd version was bumped this week my syslog is getting > flooded with warning messages... > >> > >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not > matching 0 != 7 > >> Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down > MiniUPnPd > >> Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on > port 5000 > >> Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for > NAT-PMP/PCP traffic on port 5351 > >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not > matching 0 != 7 > >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not > matching 0 != 7 > >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not > matching 0 != 7 > >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not > matching 0 != 7 > >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not > matching 0 != 7 > >> > >> > >> Totally flooded... I am going to have to revert to previous version. > >> Is anyone else seeing this? > >> > >> Cause is this update... > >> https://github.com/miniupnp/miniupnp/commit/ > 50d21a38d0719682f276173efd705ccbe78aca3d#diff- > daa89c3563f327bfe2e660cddc141ce7 > >> > >> Any ideas? The only thing I can think of is whether this has to do > with my use of a bridge on my internal lan. So "listening_ip" address is > on br0 interface rather than on a regular ethernet interface. > >> > >> Any thoughts? > >> David > > Michael > > http://www.mksolutions.info > > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > |
|
From: Lonnie A. <li...@lo...> - 2017-12-19 19:39:39
|
Hi David, I think we can fix this with a patch, but not sure what is best yet ... The struct lan_addr_s.index previously was only defined with ENABLE_IPV6, but now it is always defined. So in get_lan_for_peer() https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/upnputils.c#L107 there still are a lot of ENABLE_IPV6 differences. I think we can come up with a surgical fix. Let me know if you beat me to it. Lonnie |
|
From: Michael K. <li...@mk...> - 2017-12-19 18:12:24
|
> Am 19.12.2017 um 18:57 schrieb Lonnie Abelbeck <li...@lo...>: > > David and Michael, > > Do you both have UPnP enabled alone or part of NAT-PMP/PCP ? > > It seems without UPnP the error does not occur. Such as with [ NAT-PMP/PCP only ] . > > Lonnie I have enabled "NAT-PMP/PCP & UPnP" on "1st LAN" on my router. > On Dec 19, 2017, at 10:05 AM, David Kerr <Da...@Ke...> wrote: > >> Since miniupnpd version was bumped this week my syslog is getting flooded with warning messages... >> >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 >> Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down MiniUPnPd >> Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on port 5000 >> Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for NAT-PMP/PCP traffic on port 5351 >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 >> Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 >> >> >> Totally flooded... I am going to have to revert to previous version. >> Is anyone else seeing this? >> >> Cause is this update... >> https://github.com/miniupnp/miniupnp/commit/50d21a38d0719682f276173efd705ccbe78aca3d#diff-daa89c3563f327bfe2e660cddc141ce7 >> >> Any ideas? The only thing I can think of is whether this has to do with my use of a bridge on my internal lan. So "listening_ip" address is on br0 interface rather than on a regular ethernet interface. >> >> Any thoughts? >> David Michael http://www.mksolutions.info |
|
From: Lonnie A. <li...@lo...> - 2017-12-19 18:08:47
|
On Dec 19, 2017, at 11:13 AM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > I think your hit the nail on the head with the commit your referenced. > > I see both source_ifindex and source_if variables of type (int). > > Possibly lan_addr->index should be compared against source_ifindex and not source_if ? > > Lonnie Never-mind, source_ifindex is passed as an argument of ProcessSSDPData() which is then called source_if . Not the problem. I'm still looking. Lonnie |
|
From: Lonnie A. <li...@lo...> - 2017-12-19 17:57:36
|
David and Michael, Do you both have UPnP enabled alone or part of NAT-PMP/PCP ? It seems without UPnP the error does not occur. Such as with [ NAT-PMP/PCP only ] . Lonnie On Dec 19, 2017, at 10:05 AM, David Kerr <Da...@Ke...> wrote: > Since miniupnpd version was bumped this week my syslog is getting flooded with warning messages... > > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down MiniUPnPd > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on port 5000 > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for NAT-PMP/PCP traffic on port 5351 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > > > Totally flooded... I am going to have to revert to previous version. > Is anyone else seeing this? > > Cause is this update... > https://github.com/miniupnp/miniupnp/commit/50d21a38d0719682f276173efd705ccbe78aca3d#diff-daa89c3563f327bfe2e660cddc141ce7 > > Any ideas? The only thing I can think of is whether this has to do with my use of a bridge on my internal lan. So "listening_ip" address is on br0 interface rather than on a regular ethernet interface. > > Any thoughts? > David > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: Lonnie A. <li...@lo...> - 2017-12-19 17:13:48
|
Hi David, I think your hit the nail on the head with the commit your referenced. I see both source_ifindex and source_if variables of type (int). Possibly lan_addr->index should be compared against source_ifindex and not source_if ? Lonnie On Dec 19, 2017, at 10:05 AM, David Kerr <Da...@Ke...> wrote: > Since miniupnpd version was bumped this week my syslog is getting flooded with warning messages... > > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down MiniUPnPd > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on port 5000 > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for NAT-PMP/PCP traffic on port 5351 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > > > Totally flooded... I am going to have to revert to previous version. > Is anyone else seeing this? > > Cause is this update... > https://github.com/miniupnp/miniupnp/commit/50d21a38d0719682f276173efd705ccbe78aca3d#diff-daa89c3563f327bfe2e660cddc141ce7 > > Any ideas? The only thing I can think of is whether this has to do with my use of a bridge on my internal lan. So "listening_ip" address is on br0 interface rather than on a regular ethernet interface. > > Any thoughts? > David > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: Michael K. <li...@mk...> - 2017-12-19 16:08:54
|
> Am 19.12.2017 um 17:05 schrieb David Kerr <da...@ke...>: > > Since miniupnpd version was bumped this week my syslog is getting flooded with warning messages... > > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 > Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down MiniUPnPd > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on port 5000 > Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for NAT-PMP/PCP traffic on port 5351 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 > > > Totally flooded... I am going to have to revert to previous version. > Is anyone else seeing this? > > Cause is this update... > https://github.com/miniupnp/miniupnp/commit/50d21a38d0719682f276173efd705ccbe78aca3d#diff-daa89c3563f327bfe2e660cddc141ce7 > > Any ideas? The only thing I can think of is whether this has to do with my use of a bridge on my internal lan. So "listening_ip" address is on br0 interface rather than on a regular ethernet interface. > > Any thoughts? > David I looked at my router and see the same, only that warning are: interface index not matching 0 != 3 Michael http://www.mksolutions.info |
|
From: David K. <da...@ke...> - 2017-12-19 16:06:00
|
Since miniupnpd version was bumped this week my syslog is getting flooded with warning messages... Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:07 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:08 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:18 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:28 pbx daemon.warn miniupnpd[3936]: interface index not matching 0 != 7 Dec 19 10:37:32 pbx daemon.notice miniupnpd[3936]: shutting down MiniUPnPd Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: HTTP listening on port 5000 Dec 19 10:37:33 pbx daemon.notice miniupnpd[27970]: Listening for NAT-PMP/PCP traffic on port 5351 Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 Dec 19 10:37:36 pbx daemon.warn miniupnpd[27970]: interface index not matching 0 != 7 Totally flooded... I am going to have to revert to previous version. Is anyone else seeing this? Cause is this update... https://github.com/miniupnp/miniupnp/commit/50d21a38d0719682f276173efd705ccbe78aca3d#diff-daa89c3563f327bfe2e660cddc141ce7 Any ideas? The only thing I can think of is whether this has to do with my use of a bridge on my internal lan. So "listening_ip" address is on br0 interface rather than on a regular ethernet interface. Any thoughts? David |
|
From: Michael K. <mic...@ip...> - 2017-12-03 04:26:29
|
Wow looks super easy to set up. So is it ready for production? Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux Developers Mailing List <ast...@li...> Date: Sunday, 3 December 2017 at 10:13 am To: AstLinux List <ast...@li...> Cc: AstLinux Developers Mailing List <ast...@li...> Subject: [Astlinux-devel] AstLinux Pre-Release: astlinux-1.3-3534-c5e366 Announcing Pre-Release Version: astlinux-1.3-3534-c5e366 Particularly notable is the addition of the WireGuard VPN. The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. -- WireGuard VPN, new package; an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn -- Asterisk 13 version bump to 13.18.3 These pre-release images are for those who would like to take advantage of the AstLinux development before the next official release, as well as providing testing for the project. The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... AstLinux Project -> Development http://www.astlinux-project.org/dev.html While these images are considered 'stable', the lack of testing will not make these images suitable for critical production systems. If you should come across an issue, please report back here. AstLinux Team ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-devel mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: Lonnie A. <li...@lo...> - 2017-12-02 23:13:11
|
Announcing Pre-Release Version: astlinux-1.3-3534-c5e366 Particularly notable is the addition of the WireGuard VPN. The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. -- WireGuard VPN, new package; an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn -- Asterisk 13 version bump to 13.18.3 These pre-release images are for those who would like to take advantage of the AstLinux development before the next official release, as well as providing testing for the project. The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... AstLinux Project -> Development http://www.astlinux-project.org/dev.html While these images are considered 'stable', the lack of testing will not make these images suitable for critical production systems. If you should come across an issue, please report back here. AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2017-11-14 22:15:05
|
On Nov 14, 2017, at 3:44 PM, David Kerr <Da...@Ke...> wrote: > Okay, so during a coffee break here in the office, I got a Ubuntu VM talking to my AstLinux an home, I can ping hosts on my internal LAN at home. Basically I followed https://git.zx2c4.com/WireGuard/plain/contrib/examples/ncat-client-server/client.sh to figure it out. Excellent. BTW, You could have also used the general Linux wg-quick script (wireguard-tools) to bring the VPN up and down. AstLinux does not include the wg-quick script but our /etc/init.d/wireguard does the same basic thing. > Now that done, it prompts more questions... > 1) I had to manually assign an IP address at my client side. Is that right? No way to push down an available IP address from the server within a subnet setup at the server side? So, e.g. I have 172.23.19.1 set as my server side wg0 IP address, and at the client I set 172.23.19.2. And in AllowedIPs I let all 172.23.19.1/24 go through the VPN. I think it is possible to not define an IP address for the remote peer ("client" as you say) as long as useful AllowedIPs are defined, but for AstLinux we require a unique IPv4 address to be assigned to the wg0 interface. WireGuard is simple, no negotiating, no pushing or pulling options or addresses. > 2) I had to manually add route to my internal 192.168.x.0/24 on the client side before I could ping devices on my home LAN. Again, any way for this to be pushed down from the server? This is automatic in AstLinux, and the general Linux wg-quick script also automatically creates the routes to wg0 based on the AllowedIPs peer networks in wg0.conf . > Crying out for a GUI at the client side I think. I can hardly wait for a iOS WireGuard App and ChromeOS support. Lonnie > > David > > > > > On Tue, Nov 14, 2017 at 4:32 PM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > There is no client vs. server per. se., it is peer to peer, but a WireGuard endpoint with many peer entries connected with WireGuard endpoints with only a single peer, the multi-peer endpoint might be thought of as a server. > > Also a roaming (road-warrior) "client" peer would have a "Endpoint = " entry to the "server" which the server's peer would not have an "Endpoint = " entry, the connection would be initiated by the "client". > > I would try AstLinux to AstLinux to learn, but AstLinux to General Linux should work as well. > > One thing to keep in mind is if you have multiple peers, the AllowedIPs networks must be unique across all peers, as it describes a sort of routing table for the wg0 traffic. > > > > So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? > > Yes the public key of the remote peer, and the AllowedIPs are networks that are directed *to* that peer. > > Often you might define a 10.4.0.0/24 wg0 interface shared across all peers, and then add AllowedIPs to route traffic to various peers. > > For Example Boxes A and B: > > Box A: (External IPv4 Address: 1.2.3.4) > > WireGuard VPN: > IPv4 Address: 10.4.0.10 > IPv4 NetMask: 255.255.255.0 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32 > -- > > Box B: (External IPv4 Address: 5.6.7.8) > > WireGuard VPN: > IPv4 Address: 10.4.0.11 > IPv4 NetMask: 255.255.255.0 > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32 > -- > > Now take this a step further with local LAN's and you want to route between them > > Box A LAN: 192.168.10.0/24 > Box B LAN: 192.168.11.0/24 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 > -- > > Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a LAN, and want all boxes to talk to each other, making Box A the "server" > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > > [Peer] > PublicKey = <Box C public key> > AllowedIPs = 10.4.0.12/32 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > -- Box C - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > > > If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? > > Define multiple [Peer] entries with the corresponding PublicKey's, simple as that :-) > > Lonnie > > > > On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > > > Lonnie, > > Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. > > > > Thanks > > David > > > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > > > > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > > >> > > >> Lonnie, > > >> I have some questions on the new Wireguard features... > > >> > > >> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? > > > > > > Yes. (Both client and server) > > > > Hi David, > > > > I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! > > > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. > > > > > > >> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? > > > > > > No. > > > > The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. > > > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. > > > > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > > > There are no yet. > > > https://www.wireguard.com/install/ > > > > > > Michael > > > > It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. > > > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. > > > > More interesting tidbits ... > > > > It looks pretty clear that WireGuard will make it into the mainline Linux kernel: > > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > > > A VPN provider comments - WireGuard is the future > > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > > > A lot of projects offer WireGuard... > > https://www.wireguard.com/install/ > > > > Lonnie > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: David K. <da...@ke...> - 2017-11-14 21:45:28
|
Okay, so during a coffee break here in the office, I got a Ubuntu VM talking to my AstLinux an home, I can ping hosts on my internal LAN at home. Basically I followed https://git.zx2c4.com/WireGuard/plain/contrib/examples/ncat-client-server/client.sh to figure it out. Now that done, it prompts more questions... 1) I had to manually assign an IP address at my client side. Is that right? No way to push down an available IP address from the server within a subnet setup at the server side? So, e.g. I have 172.23.19.1 set as my server side wg0 IP address, and at the client I set 172.23.19.2. And in AllowedIPs I let all 172.23.19.1/24 go through the VPN. 2) I had to manually add route to my internal 192.168.x.0/24 on the client side before I could ping devices on my home LAN. Again, any way for this to be pushed down from the server? Crying out for a GUI at the client side I think. David On Tue, Nov 14, 2017 at 4:32 PM, Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > There is no client vs. server per. se., it is peer to peer, but a > WireGuard endpoint with many peer entries connected with WireGuard > endpoints with only a single peer, the multi-peer endpoint might be thought > of as a server. > > Also a roaming (road-warrior) "client" peer would have a "Endpoint = " > entry to the "server" which the server's peer would not have an "Endpoint = > " entry, the connection would be initiated by the "client". > > I would try AstLinux to AstLinux to learn, but AstLinux to General Linux > should work as well. > > One thing to keep in mind is if you have multiple peers, the AllowedIPs > networks must be unique across all peers, as it describes a sort of routing > table for the wg0 traffic. > > > > So, make sure I understand this correct. I need to put the public key > of the client I want to let connect into the wg0.conf file, right? And the > subnet of the IP address that this client is going to use into Allowed IP's? > > Yes the public key of the remote peer, and the AllowedIPs are networks > that are directed *to* that peer. > > Often you might define a 10.4.0.0/24 wg0 interface shared across all > peers, and then add AllowedIPs to route traffic to various peers. > > For Example Boxes A and B: > > Box A: (External IPv4 Address: 1.2.3.4) > > WireGuard VPN: > IPv4 Address: 10.4.0.10 > IPv4 NetMask: 255.255.255.0 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32 > -- > > Box B: (External IPv4 Address: 5.6.7.8) > > WireGuard VPN: > IPv4 Address: 10.4.0.11 > IPv4 NetMask: 255.255.255.0 > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32 > -- > > Now take this a step further with local LAN's and you want to route > between them > > Box A LAN: 192.168.10.0/24 > Box B LAN: 192.168.11.0/24 > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 > -- > > Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a > LAN, and want all boxes to talk to each other, making Box A the "server" > > -- Box A - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box B public key> > Endpoint = 5.6.7.8:51820 > AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 > > [Peer] > PublicKey = <Box C public key> > AllowedIPs = 10.4.0.12/32 > -- > > -- Box B - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > -- Box C - wg0.conf -- > [Interface] > ... > [Peer] > PublicKey = <Box A public key> > Endpoint = 1.2.3.4:51820 > AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 > -- > > > > If I want to let multiple clients attach how do I go about that? where > would I list the multiple permitted public keys? > > Define multiple [Peer] entries with the corresponding PublicKey's, simple > as that :-) > > Lonnie > > > > On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > > > Lonnie, > > Thanks, sounds good. Maybe I missed it, but in reading the doc you > wrote I could see how to setup a server, but not how to set up AstLinux as > a client? I'm keen to try this out, but will start with a linux client in > a VM. Time to google for instructions on that. > > > > Thanks > > David > > > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck < > li...@lo...> wrote: > > > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> > wrote: > > > > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > > >> > > >> Lonnie, > > >> I have some questions on the new Wireguard features... > > >> > > >> Does AstLinux implement server only, or both client and server. ie, > can I use wireguard to connect two AstLinux boxes together over the > internet... and allow clients on each LAN to route traffic through the VPN > to the other's LAN? > > > > > > Yes. (Both client and server) > > > > Hi David, > > > > I currently have a remote SIP peer over WireGuard instead of public SIP > for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN > IP's to perform remote management. Works great! > > > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer > connection can be over either IPv4 or IPv6. > > > > > > >> Is the public/private key used by the VPN same as that used by other > AstLinux services and can it be a LetsEncrypt/acme issues/managed > certificate? > > > > > > No. > > > > The public keys are short, base64 encoded strings like " > HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve > cryptography. Simple Copy/Paste to share public keys between peers. > > > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM > and one of my test boxes, it took less than 2 minutes. > > > > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > > > There are no yet. > > > https://www.wireguard.com/install/ > > > > > > Michael > > > > It will take a little time for non-Linux user-space implementations, but > that is on the roadmap. Android will probably appear first. > > > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two > parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard > VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing > is probably not needed yet, but the efficiency leaves more CPU head-room > for Asterisk and other services, and not to mention the very easy > configuration for site to site VPN's. > > > > More interesting tidbits ... > > > > It looks pretty clear that WireGuard will make it into the mainline > Linux kernel: > > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > > > A VPN provider comments - WireGuard is the future > > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > > > A lot of projects offer WireGuard... > > https://www.wireguard.com/install/ > > > > Lonnie > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ > _________________________________________ > > Astlinux-devel mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > |
|
From: Lonnie A. <li...@lo...> - 2017-11-14 21:32:30
|
Hi David, There is no client vs. server per. se., it is peer to peer, but a WireGuard endpoint with many peer entries connected with WireGuard endpoints with only a single peer, the multi-peer endpoint might be thought of as a server. Also a roaming (road-warrior) "client" peer would have a "Endpoint = " entry to the "server" which the server's peer would not have an "Endpoint = " entry, the connection would be initiated by the "client". I would try AstLinux to AstLinux to learn, but AstLinux to General Linux should work as well. One thing to keep in mind is if you have multiple peers, the AllowedIPs networks must be unique across all peers, as it describes a sort of routing table for the wg0 traffic. > So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? Yes the public key of the remote peer, and the AllowedIPs are networks that are directed *to* that peer. Often you might define a 10.4.0.0/24 wg0 interface shared across all peers, and then add AllowedIPs to route traffic to various peers. For Example Boxes A and B: Box A: (External IPv4 Address: 1.2.3.4) WireGuard VPN: IPv4 Address: 10.4.0.10 IPv4 NetMask: 255.255.255.0 -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32 -- Box B: (External IPv4 Address: 5.6.7.8) WireGuard VPN: IPv4 Address: 10.4.0.11 IPv4 NetMask: 255.255.255.0 -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.10/32 -- Now take this a step further with local LAN's and you want to route between them Box A LAN: 192.168.10.0/24 Box B LAN: 192.168.11.0/24 -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 -- -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.10/32, 192.168.10.0/24 -- Even further, add Box C roaming road-warrior, VPN 10.4.0.12, without a LAN, and want all boxes to talk to each other, making Box A the "server" -- Box A - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box B public key> Endpoint = 5.6.7.8:51820 AllowedIPs = 10.4.0.11/32, 192.168.11.0/24 [Peer] PublicKey = <Box C public key> AllowedIPs = 10.4.0.12/32 -- -- Box B - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 -- -- Box C - wg0.conf -- [Interface] ... [Peer] PublicKey = <Box A public key> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.0.0/24, 192.168.10.0/24 -- > If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? Define multiple [Peer] entries with the corresponding PublicKey's, simple as that :-) Lonnie On Nov 14, 2017, at 2:23 PM, David Kerr <Da...@Ke...> wrote: > Lonnie, > Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. > > Thanks > David > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > >> > >> Lonnie, > >> I have some questions on the new Wireguard features... > >> > >> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? > > > > Yes. (Both client and server) > > Hi David, > > I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. > > > >> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? > > > > No. > > The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > There are no yet. > > https://www.wireguard.com/install/ > > > > Michael > > It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. > > More interesting tidbits ... > > It looks pretty clear that WireGuard will make it into the mainline Linux kernel: > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > A VPN provider comments - WireGuard is the future > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > A lot of projects offer WireGuard... > https://www.wireguard.com/install/ > > Lonnie > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: Michael K. <li...@mk...> - 2017-11-14 21:18:39
|
> Am 14.11.2017 um 21:55 schrieb David Kerr <da...@ke...>: > > So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? > > If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? > > Thanks > David Then you need to create multiple peers sections within the "wg0.conf" on the server side. Each for every remote site. https://www.wireguard.com/quickstart/ > On Tue, Nov 14, 2017 at 3:23 PM, David Kerr <da...@ke...> wrote: > Lonnie, > Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. > > Thanks > David > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > >> >>> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: >>> >>> Lonnie, >>> I have some questions on the new Wireguard features... >>> >>> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? >> >> Yes. (Both client and server) > > Hi David, > > I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. > > >>> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? >> >> No. > > The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. > > >>> Are you aware of any easy to use MacOS or Windows clients? >> >> There are no yet. >> https://www.wireguard.com/install/ >> >> Michael > > It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. > > More interesting tidbits ... > > It looks pretty clear that WireGuard will make it into the mainline Linux kernel: > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > A VPN provider comments - WireGuard is the future > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > A lot of projects offer WireGuard... > https://www.wireguard.com/install/ > > Lonnie Michael http://www.mksolutions.info |
|
From: David K. <da...@ke...> - 2017-11-14 20:56:03
|
So, make sure I understand this correct. I need to put the public key of the client I want to let connect into the wg0.conf file, right? And the subnet of the IP address that this client is going to use into Allowed IP's? If I want to let multiple clients attach how do I go about that? where would I list the multiple permitted public keys? Thanks David On Tue, Nov 14, 2017 at 3:23 PM, David Kerr <da...@ke...> wrote: > Lonnie, > Thanks, sounds good. Maybe I missed it, but in reading the doc you > wrote I could see how to setup a server, but not how to set up AstLinux as > a client? I'm keen to try this out, but will start with a linux client in > a VM. Time to google for instructions on that. > > Thanks > David > > On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck < > li...@lo...> wrote: > >> >> On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> >> wrote: >> >> > >> >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: >> >> >> >> Lonnie, >> >> I have some questions on the new Wireguard features... >> >> >> >> Does AstLinux implement server only, or both client and server. ie, >> can I use wireguard to connect two AstLinux boxes together over the >> internet... and allow clients on each LAN to route traffic through the VPN >> to the other's LAN? >> > >> > Yes. (Both client and server) >> >> Hi David, >> >> I currently have a remote SIP peer over WireGuard instead of public SIP >> for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN >> IP's to perform remote management. Works great! >> >> And the tunnel can transfer both IPv4/IPv6 and any peer to peer >> connection can be over either IPv4 or IPv6. >> >> >> >> Is the public/private key used by the VPN same as that used by other >> AstLinux services and can it be a LetsEncrypt/acme issues/managed >> certificate? >> > >> > No. >> >> The public keys are short, base64 encoded strings like >> "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve >> cryptography. Simple Copy/Paste to share public keys between peers. >> >> Yesterday I fired up a VM and created a WireGuard tunnel between the VM >> and one of my test boxes, it took less than 2 minutes. >> >> >> >> Are you aware of any easy to use MacOS or Windows clients? >> > >> > There are no yet. >> > https://www.wireguard.com/install/ >> > >> > Michael >> >> It will take a little time for non-Linux user-space implementations, but >> that is on the roadmap. Android will probably appear first. >> >> In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two >> parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard >> VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing >> is probably not needed yet, but the efficiency leaves more CPU head-room >> for Asterisk and other services, and not to mention the very easy >> configuration for site to site VPN's. >> >> More interesting tidbits ... >> >> It looks pretty clear that WireGuard will make it into the mainline Linux >> kernel: >> https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 >> >> A VPN provider comments - WireGuard is the future >> https://mullvad.net/blog/2017/9/27/wireguard-future/ >> >> A lot of projects offer WireGuard... >> https://www.wireguard.com/install/ >> >> Lonnie >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel >> > > |
|
From: David K. <da...@ke...> - 2017-11-14 20:24:26
|
Lonnie, Thanks, sounds good. Maybe I missed it, but in reading the doc you wrote I could see how to setup a server, but not how to set up AstLinux as a client? I'm keen to try this out, but will start with a linux client in a VM. Time to google for instructions on that. Thanks David On Tue, Nov 14, 2017 at 2:06 PM, Lonnie Abelbeck <li...@lo...> wrote: > > On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> > wrote: > > > > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > >> > >> Lonnie, > >> I have some questions on the new Wireguard features... > >> > >> Does AstLinux implement server only, or both client and server. ie, > can I use wireguard to connect two AstLinux boxes together over the > internet... and allow clients on each LAN to route traffic through the VPN > to the other's LAN? > > > > Yes. (Both client and server) > > Hi David, > > I currently have a remote SIP peer over WireGuard instead of public SIP > for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN > IP's to perform remote management. Works great! > > And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection > can be over either IPv4 or IPv6. > > > >> Is the public/private key used by the VPN same as that used by other > AstLinux services and can it be a LetsEncrypt/acme issues/managed > certificate? > > > > No. > > The public keys are short, base64 encoded strings like " > HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve > cryptography. Simple Copy/Paste to share public keys between peers. > > Yesterday I fired up a VM and created a WireGuard tunnel between the VM > and one of my test boxes, it took less than 2 minutes. > > > >> Are you aware of any easy to use MacOS or Windows clients? > > > > There are no yet. > > https://www.wireguard.com/install/ > > > > Michael > > It will take a little time for non-Linux user-space implementations, but > that is on the roadmap. Android will probably appear first. > > In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two > parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard > VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing > is probably not needed yet, but the efficiency leaves more CPU head-room > for Asterisk and other services, and not to mention the very easy > configuration for site to site VPN's. > > More interesting tidbits ... > > It looks pretty clear that WireGuard will make it into the mainline Linux > kernel: > https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 > > A VPN provider comments - WireGuard is the future > https://mullvad.net/blog/2017/9/27/wireguard-future/ > > A lot of projects offer WireGuard... > https://www.wireguard.com/install/ > > Lonnie > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > |
|
From: Lonnie A. <li...@lo...> - 2017-11-14 19:07:02
|
On Nov 14, 2017, at 11:37 AM, Michael Keuter <li...@mk...> wrote: > >> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: >> >> Lonnie, >> I have some questions on the new Wireguard features... >> >> Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? > > Yes. (Both client and server) Hi David, I currently have a remote SIP peer over WireGuard instead of public SIP for an AstLinux to AstLinux configuration. I also AllowedIPs one of my LAN IP's to perform remote management. Works great! And the tunnel can transfer both IPv4/IPv6 and any peer to peer connection can be over either IPv4 or IPv6. >> Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? > > No. The public keys are short, base64 encoded strings like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=" thanks to Elliptic-curve cryptography. Simple Copy/Paste to share public keys between peers. Yesterday I fired up a VM and created a WireGuard tunnel between the VM and one of my test boxes, it took less than 2 minutes. >> Are you aware of any easy to use MacOS or Windows clients? > > There are no yet. > https://www.wireguard.com/install/ > > Michael It will take a little time for non-Linux user-space implementations, but that is on the roadmap. Android will probably appear first. In the lab I have achieved iperf3 speeds of nearly 700 Mbps using two parallel streams between a Qotom J1900 and Jetway N2930 over a WireGuard VPN. OpenVPN maxes out at 110 Mbps. For AstLinux users 1 Gb VPN routing is probably not needed yet, but the efficiency leaves more CPU head-room for Asterisk and other services, and not to mention the very easy configuration for site to site VPN's. More interesting tidbits ... It looks pretty clear that WireGuard will make it into the mainline Linux kernel: https://plus.google.com/+gregkroahhartman/posts/jD6N4BzToa3 A VPN provider comments - WireGuard is the future https://mullvad.net/blog/2017/9/27/wireguard-future/ A lot of projects offer WireGuard... https://www.wireguard.com/install/ Lonnie |
|
From: Michael K. <li...@mk...> - 2017-11-14 17:38:00
|
> Am 14.11.2017 um 17:56 schrieb David Kerr <da...@ke...>: > > Lonnie, > I have some questions on the new Wireguard features... > > Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? Yes. (Both client and server) > Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? No. > Are you aware of any easy to use MacOS or Windows clients? There are no yet. https://www.wireguard.com/install/ Michael http://www.mksolutions.info |
|
From: David K. <da...@ke...> - 2017-11-14 17:21:00
|
Lonnie, I have some questions on the new Wireguard features... Does AstLinux implement server only, or both client and server. ie, can I use wireguard to connect two AstLinux boxes together over the internet... and allow clients on each LAN to route traffic through the VPN to the other's LAN? Is the public/private key used by the VPN same as that used by other AstLinux services and can it be a LetsEncrypt/acme issues/managed certificate? Are you aware of any easy to use MacOS or Windows clients? Thanks David |
|
From: Lonnie A. <li...@lo...> - 2017-11-14 15:13:38
|
Announcing Pre-Release Version: astlinux-1.3-3510-3ca6e3 Particularly notable is the addition of the WireGuard VPN. WireGuard is relatively new, but its efficiency and simple configuration make it a perfect match for AstLinux and distributed SIP voice networks. While WireGuard is still considered "experimental" an official release should be coming soon, and fully usable for testing now. Many Linux projects support WireGuard. It would make sense for SIP trunk providers to offer there services over WireGuard ... seems like a great solution to securely encrypt SIP, work around NAT, and keep external SIP ports from being exposed. Currently there is little support for WireGuard other than for Linux, since it was first implemented as a Linux kernel module. But several user-space implementations are actively being worked on. A special thanks to Michael Keuter for suggesting WireGuard and testing. The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. -- WireGuard VPN, new package; an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn -- Asterisk 13 version bump to 13.18.2 If you need a VM ISO, privately email me, or install the 1.3.1 ISO and upgrade to astlinux-1.3-3510-3ca6e3 . These pre-release images are for those who would like to take advantage of the AstLinux development before the next official release, as well as providing testing for the project. The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... AstLinux Project -> Development http://www.astlinux-project.org/dev.html While these images are considered 'stable', the lack of testing will not make these images suitable for critical production systems. If you should come across an issue, please report back here. AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2017-09-29 21:12:32
|
Announcing AstLinux Release: 1.3.1 More Info: AstLinux Project http://www.astlinux-project.org/ AstLinux 1.3.1 Highlights: • Significant RTP security fixes added to Asterisk • Added Tarsnap Online Backup support, performing remote, online, "Trust No One" encrypted snapshots • Added DuckDNS Dynamic DNS supporting IPv4/IPv6 and acme-client DNS validation support • Firewall reload-blocklist-netset cron script now uses new FireHOL URL's • Web Interface enhancements and package upgrades providing important security and bug fixes AstLinux 1.3.0 Highlights: • Major upgrade to Linux Kernel 3.16.44, including the RUNNIX bootloader • The default serial baud rate is now 115200 instead of the previous 19200 • New firewall "net-prefix-translation" plugin, provides NPTv6 (Network Prefix Translation) for IPv6 • Updated firewall "traffic-shaper" plugin, use fq_codel (Fair Queueing CoDel) for both 'htb' and 'hfsc' types • New command "acme-client" to generate Let's Encrypt certificates using the ACME protocol • Added support for VMware Tools, vmw_pvscsi and virtio-scsi disk drivers (genx86_64-vm) Full ChangeLog: https://raw.githubusercontent.com/astlinux-project/astlinux/1.3.1/docs/ChangeLog.txt All users are encouraged to upgrade. AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2017-09-12 21:51:55
|
Added: https://github.com/astlinux-project/astlinux/commit/aa703bfc48c0b939348205318387a512bb1fe1fe Works as expected in my testing. Lonnie On Sep 12, 2017, at 3:57 PM, Michael Keuter <li...@mk...> wrote: > For me too! > > Sent from a mobile device. > > Michael Keuter > >> Am 12.09.2017 um 22:20 schrieb Michael Knill <mic...@ip...>: >> >> Sounds great to me! >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux Developers Mailing List <ast...@li...> >> Date: Wednesday, 13 September 2017 at 4:55 am >> To: AstLinux Developers Mailing List <ast...@li...> >> Subject: [Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes) >> >> Moved to the astlinux-devel list ... >> >> I thought of a more elegant solution, how about if in the /usr/sbin/openvpn-tls-verify script we source /mnt/kd/rc.conf.d/gui.openvpn.conf instead of /etc/rc.conf ? >> >> Possibly we could make sure /mnt/kd/rc.conf.d/gui.openvpn.conf is newer than /etc/rc.conf as a sanity check. >> >> While this would not be perfect, it would use the updated OVPN_VALIDCLIENTS when a new client was added without having to restart OpenVPN. >> >> Additionally. if one or more clients are already "Disabled" this would also allow additional clients to be Disabled also without restarting OpenVPN. >> >> The only edge condition I can think of is when OpenVPN was last started with "Disabled" clients and later all "Disabled" clients were unchecked (Enabled) and saved, in that case a OpenVPN Server restart would be needed, and no new clients could connect until the restart. A low percentage edge condition compared to the typical operation. >> >> Needs some testing ... >> >> Lonnie >> >> >>> On Sep 11, 2017, at 4:46 PM, Michael Knill <mic...@ip...> wrote: >>> >>> Hi Lonnie >>> >>> Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Tuesday, 12 September 2017 at 7:01 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> Not having any "disabled" Client CN's would be a solution. >>> >>> Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. >>> >>> Lonnie >>> >>> >>>> On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>> Ah well that explains it then thanks Lonnie. >>>> >>>> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >>>> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:16 pm >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >>>> >>>> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >>>> >>>> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >>>> >>>> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >>>> >>>> Lonnie >>>> >>>> >>>> >>>>> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 1:24 pm >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> You could try >>>>> -- OpenVPN Server -- >>>>> Raw Commands: duplicate-cn >>>>> -- >>>>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>>>> >>>>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>>>> >>>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>>>> >>>>> Lonnie >>>>> >>>>> >>>>>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>>>>> >>>>>> Ah I did remember seeing something in the logs about this: >>>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>>>> >>>>>> Is this a complaint? Should I just enable it anyway? >>>>>> I assume I add it to the RAW Commands? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>> Date: Monday, 11 September 2017 at 11:52 am >>>>>> To: AstLinux List <ast...@li...> >>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>> >>>>>> Michael, >>>>>> >>>>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>>>> >>>>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>>>> >>>>>> --duplicate-cn >>>>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>>>> >>>>>> Sounds a little like what you are describing. >>>>>> >>>>>> else ... >>>>>> >>>>>> Is your Yealink running the latest (or recent) firmware ? >>>>>> >>>>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>>>> >>>>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>>>>> >>>>>>> Hi Lonnie >>>>>>> >>>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>>>> >>>>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>>>> Can you think why this could be happening? >>>>>>> >>>>>>> Regards >>>>>>> Michael Knill >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>>>> To: AstLinux List <ast...@li...> >>>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>>> >>>>>>> Michael, >>>>>>> >>>>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>>>> >>>>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>>>> >>>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>>>> >>>>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>>>> >>>>>>> Lonnie >>>>>>> >>>>>>> >>>>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>>>>> >>>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>>>> >>>>>>>> I noticed that I am getting these in the logs: >>>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>>>> >>>>>>>> Im not sure what they mean? What could the problem be? >>>>>>>> >>>>>>>> Regards >>>>>>>> Michael Knill >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>>>> Astlinux-users mailing list >>>>>>>> Ast...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>>> >>>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > |
|
From: Michael K. <li...@mk...> - 2017-09-12 20:57:46
|
For me too! Sent from a mobile device. Michael Keuter > Am 12.09.2017 um 22:20 schrieb Michael Knill <mic...@ip...>: > > Sounds great to me! > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux Developers Mailing List <ast...@li...> > Date: Wednesday, 13 September 2017 at 4:55 am > To: AstLinux Developers Mailing List <ast...@li...> > Subject: [Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes) > > Moved to the astlinux-devel list ... > > I thought of a more elegant solution, how about if in the /usr/sbin/openvpn-tls-verify script we source /mnt/kd/rc.conf.d/gui.openvpn.conf instead of /etc/rc.conf ? > > Possibly we could make sure /mnt/kd/rc.conf.d/gui.openvpn.conf is newer than /etc/rc.conf as a sanity check. > > While this would not be perfect, it would use the updated OVPN_VALIDCLIENTS when a new client was added without having to restart OpenVPN. > > Additionally. if one or more clients are already "Disabled" this would also allow additional clients to be Disabled also without restarting OpenVPN. > > The only edge condition I can think of is when OpenVPN was last started with "Disabled" clients and later all "Disabled" clients were unchecked (Enabled) and saved, in that case a OpenVPN Server restart would be needed, and no new clients could connect until the restart. A low percentage edge condition compared to the typical operation. > > Needs some testing ... > > Lonnie > > >> On Sep 11, 2017, at 4:46 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi Lonnie >> >> Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Tuesday, 12 September 2017 at 7:01 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Not having any "disabled" Client CN's would be a solution. >> >> Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. >> >> Lonnie >> >> >>> On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: >>> >>> Ah well that explains it then thanks Lonnie. >>> >>> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >>> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 11:16 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >>> >>> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >>> >>> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >>> >>> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >>> >>> Lonnie >>> >>> >>> >>>> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 1:24 pm >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> You could try >>>> -- OpenVPN Server -- >>>> Raw Commands: duplicate-cn >>>> -- >>>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>>> >>>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>>> >>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>>> >>>> Lonnie >>>> >>>> >>>>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>> Ah I did remember seeing something in the logs about this: >>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>>> >>>>> Is this a complaint? Should I just enable it anyway? >>>>> I assume I add it to the RAW Commands? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 11:52 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>>> >>>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>>> >>>>> --duplicate-cn >>>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>>> >>>>> Sounds a little like what you are describing. >>>>> >>>>> else ... >>>>> >>>>> Is your Yealink running the latest (or recent) firmware ? >>>>> >>>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>>> >>>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>>> >>>>> Lonnie >>>>> >>>>> >>>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>>>> >>>>>> Hi Lonnie >>>>>> >>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>>> >>>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>>> Can you think why this could be happening? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>>> To: AstLinux List <ast...@li...> >>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>> >>>>>> Michael, >>>>>> >>>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>>> >>>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>>> >>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>>> >>>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>>>> >>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>>> >>>>>>> I noticed that I am getting these in the logs: >>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>>> >>>>>>> Im not sure what they mean? What could the problem be? >>>>>>> >>>>>>> Regards >>>>>>> Michael Knill >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
|
From: Michael K. <mic...@ip...> - 2017-09-12 20:20:53
|
Sounds great to me! Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux Developers Mailing List <ast...@li...> Date: Wednesday, 13 September 2017 at 4:55 am To: AstLinux Developers Mailing List <ast...@li...> Subject: [Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes) Moved to the astlinux-devel list ... I thought of a more elegant solution, how about if in the /usr/sbin/openvpn-tls-verify script we source /mnt/kd/rc.conf.d/gui.openvpn.conf instead of /etc/rc.conf ? Possibly we could make sure /mnt/kd/rc.conf.d/gui.openvpn.conf is newer than /etc/rc.conf as a sanity check. While this would not be perfect, it would use the updated OVPN_VALIDCLIENTS when a new client was added without having to restart OpenVPN. Additionally. if one or more clients are already "Disabled" this would also allow additional clients to be Disabled also without restarting OpenVPN. The only edge condition I can think of is when OpenVPN was last started with "Disabled" clients and later all "Disabled" clients were unchecked (Enabled) and saved, in that case a OpenVPN Server restart would be needed, and no new clients could connect until the restart. A low percentage edge condition compared to the typical operation. Needs some testing ... Lonnie On Sep 11, 2017, at 4:46 PM, Michael Knill <mic...@ip...> wrote: > Hi Lonnie > > Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:01 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Not having any "disabled" Client CN's would be a solution. > > Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. > > Lonnie > > > On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > >> Ah well that explains it then thanks Lonnie. >> >> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:16 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >> >> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >> >> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >> >> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >> >> Lonnie >> >> >> >> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >> >>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 1:24 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> You could try >>> -- OpenVPN Server -- >>> Raw Commands: duplicate-cn >>> -- >>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>> >>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>> >>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Ah I did remember seeing something in the logs about this: >>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>> >>>> Is this a complaint? Should I just enable it anyway? >>>> I assume I add it to the RAW Commands? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:52 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>> >>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>> >>>> --duplicate-cn >>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>> >>>> Sounds a little like what you are describing. >>>> >>>> else ... >>>> >>>> Is your Yealink running the latest (or recent) firmware ? >>>> >>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>> >>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> Hi Lonnie >>>>> >>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>> >>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>> Can you think why this could be happening? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>> >>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>> >>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>> >>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>> >>>>>> I noticed that I am getting these in the logs: >>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>> >>>>>> Im not sure what they mean? What could the problem be? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-devel mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
28 messages has been excluded from this view by a project administrator.
